Security for VPNs with IPsec Configuration Guide, Cisco ... · Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S Americas Headquarters Cisco Systems, Inc. 170

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release15S

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITEDWARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain versionof the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDINGANYOTHERWARRANTYHEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS"WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSEANDNONINFRINGEMENTORARISING FROMACOURSEOFDEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R)

© 2017 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

http://www.cisco.com/go/trademarks

C O N T E N T S

C H A P T E R 1 Configuring Security for VPNs with IPsec 1

Finding Feature Information 1

Prerequisites for Configuring Security for VPNs with IPsec 2

Restrictions for Configuring Security for VPNs with IPsec 2

Information About Configuring Security for VPNs with IPsec 3

Supported Standards 3

Supported Switching Paths, and Encapsulation 5

Supported Hardware 5

VPN Accelerator Module Support 5

AIMs and NM Support 5

Supported Switching Paths 7

Supported Encapsulation 7

IPsec Functionality Overview 8

IKEv1 Transform Sets 8

IKEv2 Transform Sets 8

IPsec Traffic Nested to Multiple Peers 9

Crypto Access Lists 9

Crypto Access List Overview 9

When to Use the permit and deny Keywords in Crypto Access Lists 10

Mirror Image Crypto Access Lists at Each IPsec Peer 12

When to Use the any Keyword in Crypto Access Lists 13

Transform Sets: A Combination of Security Protocols and Algorithms 13

About Transform Sets 13

Cisco IOS Suite-B Support for IKE and IPsec Cryptographic Algorithms 15

Suite-B Requirements 16

Where to Find Suite-B Configuration Information 16

Crypto Map Sets 17

About Crypto Maps 17

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S iii

Load Sharing Among Crypto Maps 18

Crypto Map Guidelines 18

Static Crypto Maps 19

Dynamic Crypto Maps 19

Dynamic Crypto Maps Overview 19

Tunnel Endpoint Discovery 20

Redundant Interfaces Sharing the Same Crypto Map 22

Establish Manual SAs 23

How to Configure IPsec VPNs 23

Creating Crypto Access Lists 23

What to Do Next 24

Configuring Transform Sets for IKEv1 and IKEv2 Proposals 24

Restrictions 25

Configuring Transform Sets for IKEv1 25

What to Do Next 26


Transform Sets for IKEv2 Examples 28

What to Do Next 29

Creating Crypto Map Sets 29

Creating Static Crypto Maps 29

Troubleshooting Tips 32

What to Do Next 32

Creating Dynamic Crypto Maps 32


What to Do Next 36

Creating Crypto Map Entries to Establish Manual SAs 36


What to Do Next 39

Applying Crypto Map Sets to Interfaces 39

Configuration Examples for IPsec VPN 41

Example: Configuring AES-Based Static Crypto Map 41

Additional References 42

Feature Information for Configuring Security for VPNs with IPsec 44

C H A P T E R 2 IPsec Virtual Tunnel Interfaces 47

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15Siv

Contents


Restrictions for IPsec Virtual Tunnel Interfaces 48

Information About IPsec Virtual Tunnel Interfaces 48

Benefits of Using IPsec Virtual Tunnel Interfaces 48

Static Virtual Tunnel Interfaces 49

Dynamic Virtual Tunnel Interfaces 49

Dynamic Virtual Tunnel Interface Life Cycle 50

Routing with IPsec Virtual Tunnel Interfaces 51

Traffic Encryption with the IPsec Virtual Tunnel Interface 51

How to Configure IPsec Virtual Tunnel Interfaces 52

Configuring Static IPsec Virtual Tunnel Interfaces 52

Configuring Dynamic IPsec Virtual Tunnel Interfaces 54

Configuration Examples for IPsec Virtual Tunnel Interfaces 56

Example: Static Virtual Tunnel Interface with IPsec 56

Example: Verifying the Results for the IPsec Static Virtual Tunnel Interface 58

Example: VRF-Aware Static Virtual Tunnel Interface 59

Example: Static Virtual Tunnel Interface with QoS 59

Example: Static Virtual Tunnel Interface with Virtual Firewall 60

Example: Dynamic Virtual Tunnel Interface Easy VPN Server 61

Example: Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN

Server 62

Example: Dynamic Virtual Tunnel Interface Easy VPN Client 62

Example: Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN

Client 63

Example: VRF-Aware IPsec with Dynamic VTI 64

Example: Dynamic Virtual Tunnel Interface with Virtual Firewall 64

Example: Dynamic Virtual Tunnel Interface with QoS 65

Additional References for IPsec Virtual Tunnel Interface 66

Feature Information for IPsec Virtual Tunnel Interfaces 67

C H A P T E R 3 SafeNet IPsec VPN Client Support 71


Prerequisites for SafeNet IPsec VPN Client Support 72

Restrictions for SafeNet IPsec VPN Client Support 72

Information About SafeNet IPsec VPN Client Support 72

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S v

Contents

ISAKMP Profile and ISAKMP Keyring Configurations Background 72

Local Termination Address or Interface 72

Benefit of SafeNet IPsec VPN Client Support 73

How to Configure SafeNet IPsec VPN Client Support 73

Limiting an ISAKMP Profile to a Local Termination Address or Interface 73

Limiting a Keyring to a Local Termination Address or Interface 74

Monitoring and Maintaining SafeNet IPsec VPN Client Support 75

Examples 76

debug crypto isakmp Command Output for an ISAKMP Keyring That IsBound to

Local Termination Addresses Example 76

debug crypto isakmp Command Output for an ISAKMP ProfileThat Is Boundto

a Local Termination Address Example 76

show crypto isakmp profile Command Output Example 77

Troubleshooting SafeNet IPsec VPN Client Support 77

Configuration Examples for SafeNet IPsec VPN Client Support 77

ISAKMP Profile Bound to a Local Interface Example 77

ISAKMP Keyring Bound to a Local Interface Example 77

ISAKMP Keyring Bound to a Local IP Address Example 78

ISAKMP Keyring Bound to an IP Address and Limited to a VRF Example 78


Related DocumentsStandards 78

MIBs 79

RFCs 79

Technical Assistance 79

C H A P T E R 4 Crypto Conditional Debug Support 81


Prerequisites for Crypto Conditional Debug Support 82

Restrictions for Crypto Conditional Debug Support 82

Information About Crypto Conditional Debug Support 82

Supported Condition Types 82

How to Enable Crypto Conditional Debug Support 83

Enabling Crypto Conditional Debug Messages 83

Performance Considerations 83

Disable Crypto Debug Conditions 84

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15Svi

Contents

Enabling Crypto Error Debug Messages 85

debug crypto error CLI 85

Configuration Examples for the Crypto Conditional Debug CLIs 86

Enabling Crypto Conditional Debugging Example 86

Disabling Crypto Conditional Debugging Example 87


C H A P T E R 5 VPN Acceleration Module 89


Prerequisites for VPN Acceleration Module 90

Information about VPN Acceleration Module (VAM) 90

VPN Acceleration Module (VAM) Overview 90

Benefits 90

How To Configure VPN Acceleration Module (VAM) 93

Creating IKE Policies 93

Configuring IPsec 96

Creating Crypto Access Lists 97


Creating Static Crypto Maps 99

Verifying the Configuration 102


Monitoring and Maintaining the VPN Acceleration Module 105

Configuration Examples for VPN Acceleration 106

Example: Configuring IKE Policies 106

Example: Configuring IPsec Configuration 106

Additional References for VPN Acceleration Module 107

Feature Information for VPN Acceleration Module 108

Glossary 110

C H A P T E R 6 IPv6 over IPv4 GRE Tunnel Protection 111


Prerequisites for IPv6 over IPv4 GRE Tunnel Protection 111

Restrictions for IPv6 over IPv4 GRE Tunnel Protection 112

Information About IPv6 over IPv4 GRE Tunnel Protection 112

GRE Tunnels with IPsec 112

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S vii

Contents

How to Configure IPv6 over IPv4 GRE Tunnel Protection 114

Configuring IPv6 over IPv4 GRE Encryption Using a Crypto Map 114

Configuring IPv6 over IPv4 GRE Encryption Using Tunnel Protection 118

Configuration Examples for IPv6 over IPv4 GRE Tunnel Protection 121

Example: Configuring IPv6 over IPv4 GRE Encryption Using a Crypto Map 121

Example: Configuring IPv6 over IPv4 GRE Encryption Using Tunnel Protection 122


Feature Information for IPv6 over IPv4 GRE Tunnel Protection 123

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15Sviii

Contents

C H A P T E R 1Configuring Security for VPNs with IPsec

This module describes how to configure basic IPsec VPNs. IPsec is a framework of open standards developedby the IETF. It provides security for the transmission of sensitive information over unprotected networkssuch as the Internet. IPsec acts at the network layer, protecting and authenticating IP packets betweenparticipating IPsec devices (“peers”), such as Cisco routers.

Security threats, as well as the cryptographic technologies to help protect against them, are constantlychanging. For more information about the latest Cisco cryptographic recommendations, see the NextGeneration Encryption (NGE) white paper.

Note

• Finding Feature Information, page 1

• Prerequisites for Configuring Security for VPNs with IPsec, page 2

• Restrictions for Configuring Security for VPNs with IPsec, page 2

• Information About Configuring Security for VPNs with IPsec, page 3

• How to Configure IPsec VPNs, page 23

• Configuration Examples for IPsec VPN, page 41

• Additional References, page 42

• Feature Information for Configuring Security for VPNs with IPsec, page 44

Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S 1

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html


https://tools.cisco.com/bugsearch/search

http://www.cisco.com/go/cfn

Prerequisites for Configuring Security for VPNs with IPsecIKE Configuration

You must configure Internet Key Exchange (IKE) as described in the module Configuring Internet KeyExchange for IPsec VPNs.

If you decide not to use IKE, you must still disable it as described in the module Configuring Internet KeyExchange for IPsec VPNs.

Note

Ensure Access Lists Are Compatible with IPsec

IKE uses UDP port 500. The IPsec encapsulating security payload (ESP) and authentication header (AH)protocols use protocol numbers 50 and 51, respectively. Ensure that your access lists are configured so thattraffic from protocol 50, 51, and UDP port 500 are not blocked at interfaces used by IPsec. In some cases,you might need to add a statement to your access lists to explicitly permit this traffic.

Restrictions for Configuring Security for VPNs with IPsecAccess Control Lists

Cisco ASR 1000 Series Aggregation Services Routers does not support access control lists (ACLs) that havediscontiguous masks in IPsec.

NAT Configuration

If you use Network Address Translation (NAT), you should configure static NAT so that IPsec works properly.In general, NAT should occur before the router performs IPsec encapsulation; in other words, IPsec shouldwork with global addresses.

Nested IPsec Tunnels

IPsec supports nested tunnels that terminate on the same router. Double encryption of locally generated IKEpackets and IPsec packets is supported only when a static virtual tunnel interface (sVTI) is configured. Doubleencryption is supported on releases up to and including Cisco IOS Release 12.4(15)T, but not on later releases.

With CSCts46591, the following nested IPsec tunnels are supported:

• Virtual tunnel interface (VTI) in VTI

• VTI in Generic Routing Encapsulation (GRE)/IPsec

• GRE/IPsec in VTI

• GRE/IPsec in GRE/IPsec

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S2

Configuring Security for VPNs with IPsecPrerequisites for Configuring Security for VPNs with IPsec

Unicast IP Datagram Application Only

IPsec can be applied to unicast IP datagrams only. Because the IPsec Working Group has not yet addressedthe issue of group key distribution, IPsec does not currently work with multicasts or broadcast IP datagrams.

Unsupported Interface Types

• Crypto VPNs are not supported on the bridge domain interfaces (BDI).

• Crypto maps are not supported on tunnel interface and port-channel interface.

Cisco IPsec Policy Map MIB

The MIB OID objects are displayed only when an IPsec session is up.

IPv4 Packets with IP Options Set

The following platforms do not support encrypting IPv4 packets with IP options set:

Cisco ASR1001 and ASR1000 routers with ESP-5, ESP-10, ESP-20, and ESP-40.

Information About Configuring Security for VPNs with IPsec

Supported StandardsCisco implements the following standards with this feature:

• IPsec—IPsec is a framework of open standards that provides data confidentiality, data integrity, anddata authentication between participating peers. IPsec provides these security services at the IP layer;IPsec uses IKE to handle negotiation of protocols and algorithms based on the local policy, and generatethe encryption and authentication keys to be used by IPsec. IPsec can be used to protect one or moredata flows between a pair of hosts, between a pair of security gateways, or between a security gatewayand a host.

The term IPsec is sometimes used to describe the entire protocol of IPsec data servicesand IKE security protocols, and is also sometimes used to describe only the data services.

Note

• IKE (IKEv1 and IKEv2)—Ahybrid protocol that implements Oakley and SKEME key exchanges insidethe Internet Security Association and Key Management Protocol (ISAKMP) framework. While IKE isused with other protocols, its initial implementation is with the IPsec protocol. IKE provides authenticationof IPsec peers, negotiates IPsec security associations, and establishes IPsec keys.

The component technologies implemented for IPsec include:


Configuring Security for VPNs with IPsecInformation About Configuring Security for VPNs with IPsec

Cisco no longer recommends using DES, 3DES, MD5 (including HMAC variant), and Diffie-Hellman(DH) groups 1, 2 and 5; instead, you should use AES, SHA and DH Groups 14 or higher. For moreinformation about the latest Cisco cryptographic recommendations, see the Next Generation Encryption(NGE) white paper.

Note

• AES—Advanced Encryption Standard. A cryptographic algorithm that protects sensitive, unclassifiedinformation. AES is a privacy transform for IPsec and IKE and has been developed to replace DES.AES is designed to be more secure than DES. AES offers a larger key size, while ensuring that the onlyknown approach to decrypt a message is for an intruder to try every possible key. AES has a variablekey length—the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key.

• DES—Data Encryption Standard. An algorithm that is used to encrypt packet data. Cisco softwareimplements the mandatory 56-bit DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requiresan initialization vector (IV) to start encryption. The IV is explicitly given in the IPsec packet. Forbackwards compatibility, Cisco IOS IPsec also implements the RFC 1829 version of ESP DES-CBC.

Cisco IOS also implements Triple DES (168-bit) encryption, depending on the software versions availablefor a specific platform. Cisco no longer recommends Triple DES (3DES).

Cisco IOS images with strong encryption (including, but not limited to 56-bit data encryption feature sets)are subject to United States government export controls, and have a limited distribution. Images to beinstalled outside the United States require an export license. Customer orders might be denied or subjectto delay due to United States government regulations. Contact your sales representative or distributor formore information, or send an e-mail to [email protected].

Note

• SHA-2 and SHA-1 family (HMAC variant)—Secure Hash Algorithm (SHA) 1 and 2. Both SHA-1 andSHA-2 are hash algorithms used to authenticate packet data and verify the integrity verificationmechanisms for the IKE protocol. HMAC is a variant that provides an additional level of hashing. SHA-2family adds the SHA-256 bit hash algorithm and SHA-384 bit hash algorithm. This functionality is partof the Suite-B requirements that comprises four user interface suites of cryptographic algorithms for usewith IKE and IPSec that are described in RFC 4869. Each suite consists of an encryption algorithm, adigital signature algorithm, a key agreement algorithm, and a hash or message digest algorithm. See theConfiguring Security for VPNs with IPsec feature module for more detailed information about CiscoIOS Suite-B support.

• Diffie-Hellman—A public-key cryptography protocol that allows two parties to establish a shared secretover an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys.It supports 768-bit (the default), 1024-bit, 1536-bit, 2048-bit, 3072-bit, and 4096-bit DH groups. It alsosupports a 2048-bit DH group with a 256-bit subgroup, and 256-bit and 384-bit elliptic curve DH(ECDH). Cisco recommends using 2048-bit or larger DH key exchange, or ECDH key exchange.

• MD5 (Hash-basedMessage Authentication Code (HMAC) variant)—Message digest algorithm 5 (MD5)is a hash algorithm. HMAC is a keyed hash variant used to authenticate data.

IPsec as implemented in Cisco software supports the following additional standards:

• AH—Authentication Header. A security protocol, which provides data authentication and optionalanti-replay services. AH is embedded in the data to be protected (a full IP datagram).


Configuring Security for VPNs with IPsecSupported Standards


• ESP—Encapsulating Security Payload. A security protocol, which provides data privacy services andoptional data authentication, and anti-replay services. ESP encapsulates the data to be protected.

Supported Switching Paths, and Encapsulation

Supported Hardware

VPN Accelerator Module Support

The VPN Accelerator Module (VAM) is a single-width acceleration module. It provides high-performance,hardware-assisted tunneling and encryption services suitable for VPN remote access, site-to-site intranet, andextranet applications. It also provides platform scalability and security while working with all services necessaryfor successful VPN deployments—security, quality of service (QoS), firewall and intrusion detection,service-level validation, and management. The VAM off-loads IPsec processing from the main processor,thus freeing resources on the processor engines for other tasks.

The VAM provides hardware-accelerated support for the following multiple encryption functions:

• 56-bit DES standard mode: CBC

• 3-Key Triple DES (168-bit)

• SHA-1 and MD5

• Rivest, Shamir, Adleman (RSA) public-key algorithm

• Diffie-Hellman key exchange RC4-40

For more information on VAMs, see the document VPN Acceleration Module (VAM).

AIMs and NM Support

The data encryption Advanced IntegrationModule (AIM) and NetworkModule (NM) provide hardware-basedencryption.

The data encryption AIMs and NM are hardware Layer 3 (IPsec) encryption modules and provide DES andTriple DES IPsec encryption for multiple T1s or E1s of bandwidth. These products also have hardware supportfor Diffie-Hellman, RSA, and DSA key generation.

Before using either module, note that RSA manual keying is not supported.

See the table below to determine which VPN encryption module to use.

IPPCP Software for Use with AIMs and NMs in Cisco 2600 and Cisco 3600 Series Routers

The software Internet Protocol Payload Compression Protocol (IPPCP) with AIMs and NMs allows customersto use Lempel-Ziv-Stac (LZS) software compression with IPsec when a VPN module is in Cisco 2600 andCisco 3600 series routers, allowing users to effectively increase the bandwidth on their interfaces.

Without IPPCP software, compression is not supported with the VPN encryption hardware AIM and NM;that is, a user has to remove the VPN module from the router and run the software encryption with softwarecompression. IPPCP enables all VPN modules to support LZS compression in the software when the VPN


Configuring Security for VPNs with IPsecSupported Switching Paths, and Encapsulation

http://www.cisco.com/en/US/docs/ios/12_2/12_2y/12_2ye9/feature/guide/12ye_vam.html

module is in the router, thereby allowing users to configure data compression and increase their bandwidth,which is useful for a low data link.

Without IPPCP, compression occurs at Layer 2, and encryption occurs at Layer 3. After a data stream isencrypted, it is passed on for compression services. When the compression engine receives the encrypted datastreams, the data expands and does not compress. This feature enables both compression and encryption ofthe data to occur at Layer 3 by selecting LZS with the IPsec transform set; that is, LZS compression occursbefore encryption, and with better compression ratio.

Table 1: AIM/VPN Encryption Module Support by Cisco IOS Release

EncryptionModule Supportby Cisco IOSRelease—12.3(7)T

EncryptionModule Supportby Cisco IOSRelease—12.3(6)

EncryptionModule Supportby Cisco IOSRelease—12.3(5)



Platform

Software-basedAES

Software-basedAES

Software-basedAES

Software-basedAES

Software-basedAES

Cisco 831

Software-basedAES

Software-basedAES

Software-basedAES

Software-basedAES

Software-basedAES

Cisco 1710

Cisco 1711

Cisco 1721

Cisco 1751

Cisco 1760

AIM-VPN/BPII-PlusHardwareEncryptionModule


———Cisco 2600 XM


AIM-VPN/BPIIHardwareEncryptionModule



—Cisco 2611 XM

Cisco 2621 XM

Cisco 2651 XM

AIM-VPN/EPII-PlusHardwareEncryptionModule

AIM-VPN/EPIIHardwareEncryptionModule




Cisco 2691 XM

AIM-VPN/HPII-PlusHardwareEncryptionModule



AIM-VPN/HPIIHardwareEncryptionModule

AIM-VPN/HPIIHardwareEncryptionModule

Cisco 3660

Cisco 3745






Cisco 3735



For more information on AIMs and NM, see the Installing Advanced Integration Modules in Cisco 2600Series, Cisco 3600 Series, and Cisco 3700 Series Routers document.

Supported Switching PathsThe table below lists the supported switching paths that work with IPsec.

Table 2: Supported Switching Paths for IPsec

ExamplesSwitching Paths

ip cefinterface ethernet0/0ip route-cache! Ensure that you will not hit flowswitching.no ip route-cache flow

Cisco Express Forwarding

! Enable global CEF.ip cefinterface ethernet0/0ip route-cacheip route-cache flow! Enable CEF for the interfaceip route-cache cef

Cisco Express Forwarding-flow switching

interface ethernet0/0ip route-cache! Ensure that you will not hit flowswitching.no ip route-cache flow! Disable CEF for the interface, whichsupersedes global CEF.no ip route-cache cef

Fast switching

interface ethernet0/0ip route-cache! Enable flow switchingp route-cache flow! Disable CEF for the interface.no ip route-cache cef

Fast-flow switching

interface ethernet0/0no ip route-cache

Process switching

Supported EncapsulationIPsec works with the following serial encapsulations: Frame Relay, High-Level Data-Links Control (HDLC),and PPP.

IPsec also works with Generic Routing Encapsulation (GRE) and IPinIP Layer 3, Data Link Switching+(DLSw+), and Source Route Bridging (SRB) tunneling protocols; however, multipoint tunnels are not supported.Other Layer 3 tunneling protocols may not be supported for use with IPsec.



http://www.cisco.com/en/US/docs/routers/access/2600/hardware/module/installation/guide/aims_ins.html

http://www.cisco.com/en/US/docs/routers/access/2600/hardware/module/installation/guide/aims_ins.html

IPsec Functionality OverviewIPsec provides the following network security services. (In general, the local security policy dictates the useof one or more of these services.)

• Data confidentiality—The IPsec sender can encrypt packets before transmitting them across a network.

• Data integrity—The IPsec receiver can authenticate packets sent by the IPsec sender to ensure that thedata has not been altered during transmission.

• Data origin authentication—The IPsec receiver can authenticate the source of the sent IPsec packets.This service is dependent upon the data integrity service.

• Anti-replay—The IPsec receiver can detect and reject replayed packets.

IPsec provides secure tunnels between two peers, such as two routers. You define which packets are consideredsensitive and should be sent through these secure tunnels, and you define the parameters that should be usedto protect these sensitive packets by specifying the characteristics of these tunnels. When the IPsec peerrecognizes a sensitive packet, the peer sets up the appropriate secure tunnel and sends the packet through thetunnel to the remote peer. (The use of the term tunnel in this chapter does not refer to using IPsec in tunnelmode.)

More accurately, these tunnels are sets of security associations (SAs) that are established between two IPsecpeers. The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keyingmaterial to be used by the two peers. SAs are unidirectional and are established per security protocol (AH orESP).

Once established, the set of SAs (outbound to the peer) is then applied to the triggering packet and to subsequentapplicable packets as those packets exit the router. “Applicable” packets are packets that match the same accesslist criteria that the original packet matched. For example, all applicable packets could be encrypted beforebeing forwarded to the remote peer. The corresponding inbound SAs are used when processing the incomingtraffic from that peer.

Multiple IPsec tunnels can exist between two peers to secure different data streams, with each tunnel using aseparate set of SAs. For example, some data streams only need to be authenticated, while other data streamsmust both be encrypted and authenticated.

IKEv1 Transform SetsAn Internet Key Exchange version 1 (IKEv1) transform set represents a certain combination of securityprotocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform setfor protecting a particular data flow.

IKEv2 Transform SetsAn Internet Key Exchange version 2 (IKEv2) proposal is a set of transforms used in the negotiation of IKEv2SA as part of the IKE_SA_INIT exchange. An IKEv2 proposal is regarded as complete only when it has atleast an encryption algorithm, an integrity algorithm, and a Diffie-Hellman (DH) group configured. If noproposal is configured and attached to an IKEv2 policy, then the default proposal is used in the negotiation.The default proposal is a collection of commonly used algorithms which are as follows:

encryption aes-cbc-128 3des


Configuring Security for VPNs with IPsecIPsec Functionality Overview

integrity sha1 md5group 5 2

Although the crypto ikev2 proposal command is similar to the crypto isakmp policy priority command,the IKEv2 proposal differs as follows:

• An IKEv2 proposal allows configuration of one or more transforms for each transform type.

• An IKEv2 proposal does not have any associated priority.

To use IKEv2 proposals in negotiation, they must be attached to IKEv2 policies. If a proposal is notconfigured, then the default IKEv2 proposal is used with the default IKEv2 policy.

Note

IPsec Traffic Nested to Multiple PeersYou can nest IPsec traffic to a series of IPsec peers. For example, for traffic to traverse multiple firewalls(these firewalls have a policy of not letting through traffic that they have not authenticated), the router mustestablish IPsec tunnels with each firewall in turn. The “nearer” firewall becomes the “outer” IPsec peer.In the example shown in the figure below, Router A encapsulates the traffic destined for Router C in IPsec(Router C is the inner IPsec peer). However, before Router A can send this traffic, it must first reencapsulatethis traffic in IPsec to send it to Router B (Router B is the “outer” IPsec peer).

Figure 1: Nesting Example of IPsec Peers

It is possible for the traffic between the “outer” peers to have one kind of protection (such as data authentication)and for traffic between the “inner” peers to have a different protection (such as both data authentication andencryption).

Crypto Access Lists

Crypto Access List OverviewCrypto access lists are used to define which IP traffic is protected by crypto and which traffic is not protectedby crypto. (These access lists are not the same as regular access lists, which determine what traffic to forwardor block at an interface.) For example, access lists can be created to protect all IP traffic between Subnet Aand Subnet Y or Telnet traffic between Host A and Host B.


Configuring Security for VPNs with IPsecIPsec Traffic Nested to Multiple Peers

The access lists themselves are not specific to IPsec. It is the crypto map entry referencing the specific accesslist that defines whether IPsec processing is applied to the traffic matching a permit in the access list.

Crypto access lists associated with IPsec crypto map entries have four primary functions:

• Select outbound traffic to be protected by IPsec (permit = protect).

• Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when initiatingnegotiations for IPsec security associations.

• Process inbound traffic to filter out and discard traffic that should have been protected by IPsec.

• Determine whether or not to accept requests for IPsec security associations on behalf of the requesteddata flows when processing IKE negotiation from the IPsec peer.

• Perform negotiation only for ipsec-isakmp crypto map entries.

If you want certain traffic to receive one combination of IPsec protection (for example, authentication only)and other traffic to receive a different combination of IPsec protection (for example, both authentication andencryption), you need to create two different crypto access lists to define the two different types of traffic.These different access lists are then used in different crypto map entries, which specify different IPsec policies.

The IPsec traffic cannot be sent when the crypto map access list is modified under a crypto map. The IPsectraffic can be forwarded again after the tunnels are re-keyed. Use the clear crypto session command tocontinue IPsec traffic forwarding.

Note

When to Use the permit and deny Keywords in Crypto Access ListsCrypto protection can be permitted or denied for certain IP traffic in a crypto access list as follows:

• To protect IP traffic that matches the specified policy conditions in its corresponding crypto map entry,use the permit keyword in an access list.

• To refuse protection for IP traffic that matches the specified policy conditions in its corresponding cryptomap entry, use the deny keyword in an access list.

IP traffic is not protected by crypto if it is refused protection in all of the crypto map entries for an interface.Note

After the corresponding crypto map entry is defined and the crypto map set is applied to the interface, thedefined crypto access list is applied to the interface. Different access lists must be used in different entries ofthe same crypto map set. However, both inbound and outbound traffic is evaluated against the same “outbound”IPsec access list. Therefore, the access list criteria is applied in the forward direction to traffic exiting yourrouter and in the reverse direction to traffic entering your router.

In the figure below, IPsec protection is applied to traffic between Host 10.0.0.1 and Host 192.168.0.2 as thedata exits Router A’s S0 interface en route to Host 192.168.0.2. For traffic from Host 10.0.0.1 to Host192.168.0.2, the access list entry on Router A is evaluated as follows:source = host 10.0.0.1dest = host 192.168.0.2


Configuring Security for VPNs with IPsecCrypto Access Lists

For traffic from Host 192.168.0.2 to Host 10.0.0.1, the access list entry on Router A is evaluated as follows:source = host 192.168.0.2dest = host 10.0.0.1

Figure 2: How Crypto Access Lists Are Applied for Processing IPsec

If you configure multiple statements for a given crypto access list that is used for IPsec, in general the firstpermit statement that is matched is the statement used to determine the scope of the IPsec SA. That is, theIPsec SA is set up to protect traffic that meets the criteria of the matched statement only. Later, if trafficmatches a different permit statement of the crypto access list, a new, separate IPsec SA is negotiated to protecttraffic matching the newly matched access list statement.

Any unprotected inbound traffic that matches a permit entry in the crypto access list for a crypto map entryflagged as IPsec is dropped because this traffic was expected to be protected by IPsec.

If you view your router’s access lists by using a command such as show ip access-lists, all extended IPaccess lists are shown in the command output. This display output includes extended IP access lists thatare used for traffic filtering purposes and those that are used for crypto. The show command output doesnot differentiate between the different uses of the extended access lists.

Note

The following example shows that if overlapping networks are used, then the most specific networks aredefined in crypto sequence numbers before less specific networks are defined. In this example, the morespecific network is covered by the crypto map sequence number 10, followed by the less specific network inthe crypto map, which is sequence number 20.

crypto map mymap 10 ipsec-isakmpset peer 192.168.1.1set transform-set testmatch address 101crypto map mymap 20 ipsec-isakmpset peer 192.168.1.1set transform-set testmatch address 102access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255access-list 102 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255



The following example shows how having a deny keyword in one crypto map sequence number and havinga permit keyword for the same subnet and IP range in another crypto map sequence number are not supported.

crypto map mymap 10 ipsec-isakmpset peer 192.168.1.1set transform-set testmatch address 101crypto map mymap 20 ipsec-isakmpset peer 192.168.1.1set transform-set testmatch address 102access-list 101 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

Mirror Image Crypto Access Lists at Each IPsec PeerCisco recommends that for every crypto access list specified for a static crypto map entry that you define atthe local peer, you define a “mirror image” crypto access list at the remote peer. This ensures that traffic thathas IPsec protection applied locally can be processed correctly at the remote peer. (The crypto map entriesthemselves must also support common transforms and must refer to the other system as a peer.)

The figure below shows some sample scenarios of mirror image and nonmirror image access lists.

Figure 3: Mirror Image vs. Nonmirror Image Crypto Access Lists (for IPsec)



As the above figure indicates, IPsec SAs can be established as expected whenever the two peers’ crypto accesslists are mirror images of each other. However, an IPsec SA can be established only some of the time whenaccess lists are not mirror images of each other. This can happen in the case where an entry in one peer’saccess list is a subset of an entry in the other peer’s access list, such as shown in Cases 3 and 4 in the abovefigure. IPsec SA establishment is critical to IPsec—without SAs, IPsec does not work, thus causing packetsmatching the crypto access list criteria to be silently dropped instead of being forwarded with IPsec.

In the figure above, an SA cannot be established in Case 4. This is because SAs are always requested accordingto the crypto access lists at the initiating packet’s end. In Case 4, Router N requests that all traffic betweenSubnet X and Subnet Y be protected, but this is a superset of the specific flows permitted by the crypto accesslist at Router M, so the request is not permitted. Case 3 works because Router M’s request is a subset of thespecific flows permitted by the crypto access list at Router N.

Because of the complexities introduced when crypto access lists are not configured as mirror images at peerIPsec devices, Cisco strongly encourages you to use mirror image crypto access lists.

When to Use the any Keyword in Crypto Access ListsWhen you create crypto access lists, using the any keyword could cause problems. Cisco discourages the useof the any keyword to specify the source or destination addresses. By default, VTI solutions use the anykeyword as a proxy identity. Use of VTI is encouraged when proxy identities of any are required.

The any keyword in a permit statement is not recommended when you have multicast traffic flowing throughthe IPsec interface; the any keyword can cause multicast traffic to fail.

The permit any any statement is strongly discouraged because this causes all outbound traffic to be protected(and all protected traffic is sent to the peer specified in the corresponding crypto map entry) and requiresprotection for all inbound traffic. Then, all inbound packets that lack IPsec protection are silently dropped,including packets for routing protocols, the Network Time Protocol (NTP), echo, echo response, and so on.

You need to be sure that you define which packets to protect. If you must use the any keyword in a permitstatement, you must preface that statement with a series of deny statements to filter out any traffic (that wouldotherwise fall within that permit statement) that you do not want to be protected.

The use of the any keyword in access control lists (ACLs) with reverse route injection (RRI) is not supported.(For more information on RRI, see the section “Creating Crypto Map Sets.”)

Transform Sets: A Combination of Security Protocols and Algorithms

About Transform Sets

Cisco no longer recommends using ah-md5-hmac, esp-md5-hmac, esp-des or esp-3des. Instead, you shoulduse ah-sha-hmac, esp-sha-hmac or esp-aes. For more information about the latest Cisco cryptographicrecommendations, see the Next Generation Encryption (NGE) white paper.

Note

A transform set represents a certain combination of security protocols and algorithms. During the IPsec SAnegotiation, the peers agree to use a particular transform set for protecting a particular data flow.

During IPsec security association negotiations with IKE, peers search for an identical transform set for bothpeers. When such a transform set is found, it is selected and applied to the protected traffic as part of both


Configuring Security for VPNs with IPsecTransform Sets: A Combination of Security Protocols and Algorithms


peers’ IPsec SAs. (With manually established SAs, there is no negotiation with the peer, so both sides mustspecify the same transform set.)

The table below shows allowed transform combinations.

Table 3: Allowed Transform Combinations

DescriptionTransformTransform Type

AHwith theMD5 (MessageDigest5) (an HMAC variant)authentication algorithm. (Nolonger recommended).

ah-md5-hmacAH Transform (Pick only one.)

AH with the SHA (Secure HashAlgorithm) (an HMAC variant)authentication algorithm.

ah-sha-hmac

ESP with the 128-bit AdvancedEncryption Standard (AES)encryption algorithm.

esp-aesESP Encryption Transform(Pick only one.)

The esp-gcm and esp-gmactransforms are ESPs with either a128-bit or a 256-bit encryptionalgorithm. The default for either ofthese transforms is 128 bits.

Both esp-gcm and esp-gmactransforms cannot be configuredtogether with any other ESPtransform within the same cryptoIPsec transform set using thecrypto ipsec transform-setcommand.

The esp-gcm and esp-gmaccombinations are not supported onthe Cisco ASR 1001 routers withthe following ESPs:

• ESP-5

• ESP-10

• ESP-20

• ESP-40

esp-gcm

esp-gmac

ESP with the 192-bit AESencryption algorithm.

esp-aes 192

ESP with the 256-bit AESencryption algorithm.

esp-aes 256


Configuring Security for VPNs with IPsecTransform Sets: A Combination of Security Protocols and Algorithms

DescriptionTransformTransform Type

ESP with the 56-bit DataEncryption Standard (DES)encryption algorithm. (No longerrecommended).

esp-des

ESP with the 168-bit DESencryption algorithm (3DES orTriple DES). (No longerrecommended).

esp-3des

Null encryption algorithm.esp-null

ESP with the MD5 (HMACvariant) authentication algorithm.(No longer recommended).

esp-md5-hmacESP Authentication Transform(Pick only one.)

ESP with the SHA (HMACvariant) authentication algorithm.

esp-sha-hmac


Note

Cisco IOS Suite-B Support for IKE and IPsec Cryptographic AlgorithmsSuite-B adds support for four user interface suites of cryptographic algorithms for use with IKE and IPSecthat are described in RFC 4869. Each suite consists of an encryption algorithm, a digital signature algorithm,a key agreement algorithm, and a hash or message digest algorithm.

Suite-B is not supported on the following hardware platforms:

• Cisco ASR1001

• ESP-5

• ESP-10

• ESP-20

• ESP-40

Suite-B has the following cryptographic algorithms:

• Suite-B-GCM-128-Provides ESP integrity protection, confidentiality, and IPsec encryption algorithmsthat use the 128-bit AES using Galois and Counter Mode (AES-GCM) described in RFC 4106. Thissuite should be used when ESP integrity protection and encryption are both needed.


Configuring Security for VPNs with IPsecCisco IOS Suite-B Support for IKE and IPsec Cryptographic Algorithms



• Suite-B-GCM-256-Provides ESP integrity protection and confidentiality using 256-bit AES-GCMdescribed in RFC 4106. This suite should be used when ESP integrity protection and encryption areboth needed.

• Suite-B-GMAC-128-Provides ESP integrity protection using 128-bit AES-GaloisMessageAuthenticationCode (GMAC) described in RFC 4543, but does not provide confidentiality. This suite should be usedonly when there is no need for ESP encryption.

• Suite-B-GMAC-256-Provides ESP integrity protection using 256-bit AES-GMAC described in RFC4543, but does not provide confidentiality. This suite should be used only when there is no need for ESPencryption.

IPSec encryption algorithms use AES-GCM when encryption is required and AES-GMAC for messageintegrity without encryption.

IKE negotiation uses AES Cipher Block Chaining (CBC) mode to provide encryption and Secure HashAlgorithm (SHA)-2 family containing the SHA-256 and SHA-384 hash algorithms, as defined in RFC 4634,to provide the hash functionality. Diffie-Hellman using Elliptic Curves (ECP), as defined in RFC 4753, isused for key exchange and the Elliptic Curve Digital Signature Algorithm (ECDSA), as defined in RFC 4754,to provide authentication.

Suite-B RequirementsSuite-B imposes the following software crypto engine requirements for IKE and IPsec:

• HMAC-SHA256 and HMAC-SHA384 are used as pseudorandom functions; the integrity check withinthe IKE protocol is used. Optionally, HMAC-SHA512 can be used.

• Elliptic curve groups 19 (256-bit ECP curve) and 20 (384-bit ECP curve) are used as the Diffie-Hellmangroup in IKE. Optionally, group 21 (521-bit ECP curve) can be used.

• The Elliptic Curve Digital Signature Algorithm (ECDSA) algorithm (256-bit and 384-bit curves) is usedfor the signature operation within X.509 certificates.

• GCM (16 byte ICV) and GMAC is used for ESP (128-bit and 256-bit keys). Optionally, 192-bit keyscan be used.

• Public Key Infrastructure (PKI) support for validation of X.509 certificates using ECDSA signaturesmust be used.

• PKI support for generating certificate requests using ECDSA signatures and for importing the issuedcertificates into IOS must be used.

• IKEV2 support for allowing the ECDSA signature (ECDSA-sig) as authenticationmethodmust be used.

Where to Find Suite-B Configuration InformationSuite-B configuration support is described in the following documents:

• For more information on the esp-gcm and esp-gmac transforms, see the “Configuring Transform Setsfor IKEv1” section.

• For more information on SHA-2 family (HMAC variant) and Elliptic Curve (EC) key pair configuration,see the Configuring Internet Key Exchange for IPsec VPNs feature module.


Configuring Security for VPNs with IPsecCisco IOS Suite-B Support for IKE and IPsec Cryptographic Algorithms

• For more information on configuring a transform for an integrity algorithm type, see the “Configuringthe IKEv2 Proposal” section in the Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPNSite-to-Site feature module.

• For more information on configuring the ECDSA-sig to be the authentication method for IKEv2, seethe “Configuring IKEv2 Profile (Basic)” section in the Configuring Internet Key Exchange Version 2(IKEv2) and FlexVPN Site-to-Site feature module.

• For more information on configuring elliptic curve Diffie-Hellman (ECDH) support for IPsec SAnegotiation, see the Configuring Internet Key Exchange for IPsec VPNs and Configuring Internet KeyExchange Version 2 and FlexVPN feature modules.

For more information on the Suite-B support for certificate enrollment for a PKI, see theConfiguring CertificateEnrollment for a PKI feature module.

Crypto Map SetsBefore you create crypto map entries, you should determine the type of crypto map—static, dynamic, ormanual—best addresses the needs of your network.

About Crypto MapsCrypto map entries created for IPsec pull together the various parts used to set up IPsec SAs, including:

•Which traffic should be protected by IPsec (per a crypto access list)

• The granularity of the flow to be protected by a set of SAs

•Where IPsec-protected traffic should be sent (who the remote IPsec peer is)

• The local address to be used for the IPsec traffic (See the “Applying Crypto Map Sets to Interfaces”section for more details)

•What IPsec SA should be applied to this traffic (selecting from a list of one or more transform sets)

•Whether SAs are manually established or are established via IKE

• Other parameters that might be necessary to define an IPsec SA

How Crypto Maps Work

Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped intoa crypto map set. Later, you apply these crypto map sets to interfaces; all IP traffic passing through the interfaceis evaluated against the applied crypto map set. If a crypto map entry sees outbound IP traffic that should beprotected and the crypto map specifies the use of IKE, an SA is negotiated with the remote peer according tothe parameters included in the crypto map entry; otherwise, if the crypto map entry specifies the use of manualSAs, an SA should have already been established via configuration. (If a dynamic crypto map entry seesoutbound traffic that should be protected and no security association exists, the packet is dropped.)

The policy described in the crypto map entries is used during the negotiation of SAs. If the local router initiatesthe negotiation, it uses the policy specified in the static crypto map entries to create the offer to be sent to thespecified IPsec peer. If the IPsec peer initiates the negotiation, the local router checks the policy from thestatic crypto map entries, as well as any referenced dynamic crypto map entries, to decide whether to acceptor reject the peer’s request (offer).


Configuring Security for VPNs with IPsecCrypto Map Sets

For IPsec to succeed between two IPsec peers, both peers’ crypto map entries must contain compatibleconfiguration statements.

Compatible Crypto Maps: Establishing an SA

When two peers try to establish an SA, they must each have at least one crypto map entry that is compatiblewith one of the other peer’s crypto map entries. For two crypto map entries to be compatible, they must meetthe following criteria:

• The crypto map entries must contain compatible crypto access lists (for example, mirror image accesslists). In cases, where the responding peer is using dynamic crypto maps, the entries in the local cryptoaccess list must be “permitted” by the peer’s crypto access list.

• The crypto map entries must each identify the other peer (unless the responding peer is using dynamiccrypto maps).

• The crypto map entries must have at least one transform set in common.

Load Sharing Among Crypto MapsYou can define multiple remote peers using crypto maps to allow load sharing. Load sharing is useful becauseif one peer fails, there is still a protected path. The peer to which packets are actually sent is determined bythe last peer that the router heard from (that is, received either traffic or a negotiation request) for a given dataflow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.

If you are not sure how to configure each crypto map parameter to guarantee compatibility with other peers,you might consider configuring dynamic crypto maps as described in the section “Creating Dynamic CryptoMaps”. Dynamic crypto maps are useful when the establishment of the IPsec tunnels is initiated by the remotepeer (such as in the case of an IPsec router fronting a server). They are not useful if the establishment of theIPsec tunnels is locally initiated because the dynamic crypto maps are policy templates, not complete statementsof policy.

Crypto Map GuidelinesYou can apply only one crypto map set to a single interface. The crypto map set can include a combinationof IPsec/IKE and IPsec/manual entries. Multiple interfaces can share the same crypto map set if you want toapply the same policy to multiple interfaces.

If you create more than one crypto map entry for a given interface, use the seq-num argument of each mapentry to rank the map entries; the lower the seq-num argument the higher the priority. At the interface thathas the crypto map set, traffic is first evaluated against the higher priority map entries.

You must create multiple crypto map entries for a given interface if any of the following conditions exist:

• If different data flows are to be handled by separate IPsec peers.

• If you want to apply different IPsec security to different types of traffic (for the same or separate IPsecpeers); for example, if you want traffic between one set of subnets to be authenticated, and traffic betweenanother set of subnets to be both authenticated and encrypted. In such cases, the different types of trafficshould be defined in two separate access lists, and you must create a separate crypto map entry for eachcrypto access list.



• If you are not using IKE to establish a particular set of security associations, and you want to specifymultiple access list entries, you must create separate access lists (one per permit entry) and specify aseparate crypto map entry for each access list.

Static Crypto MapsWhen IKE is used to establish SAs, IPsec peers can negotiate the settings they use for the new securityassociations. This means that you can specify lists (such as lists of acceptable transforms) within the cryptomap entry.

Perform this task to create crypto map entries that use IKE to establish the SAs. To create IPv6 crypto mapentries, you must use the ipv6 keyword with the crypto map command. For IPv4 crypto maps, use the cryptomap command without the ipv6 keyword.

Static IPv6 crypto maps with IKE is not supported.Note

Dynamic Crypto MapsDynamic crypto maps can simplify IPsec configuration and are recommended for use with networks wherethe peers are not always predetermined. To create dynamic crypto maps, you should understand the followingconcepts:

Dynamic Crypto Maps Overview

Dynamic crypto maps are only available for use by IKE.

A dynamic crypto map entry is essentially a static crypto map entry without all the parameters configured. Itacts as a policy template where the missing parameters are later dynamically configured (as the result of anIPsec negotiation) to match a remote peer’s requirements. This allows remote peers to exchange IPsec trafficwith the router even if the router does not have a crypto map entry specifically configured to meet all of theremote peer’s requirements.Dynamic crypto maps are not used by the router to initiate new IPsec security associations with remote peers.Dynamic crypto maps are used when a remote peer tries to initiate an IPsec security association with therouter. Dynamic crypto maps are also used in evaluating traffic.

A dynamic crypto map set is included by reference as part of a crypto map set. Any crypto map entries thatreference dynamic crypto map sets should be the lowest priority crypto map entries in the crypto map set (thatis, have the highest sequence numbers) so that the other crypto map entries are evaluated first; that way, thedynamic crypto map set is examined only when the other (static) map entries are not successfully matched.

If the router accepts the peer’s request, it installs the new IPsec security associations, it also installs a temporarycrypto map entry. This entry contains the results of the negotiation. At this point, the router performs normalprocessing using this temporary crypto map entry as a normal entry, even requesting new security associationsif the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Oncethe flow expires (that is, all corresponding security associations expire), the temporary crypto map entry isremoved.

For both static and dynamic crypto maps, if unprotected inbound traffic matches a permit statement in anaccess list, and the corresponding crypto map entry is tagged as “IPsec,” the traffic is dropped because it is



not IPsec-protected. (This is because the security policy as specified by the crypto map entry states that thistraffic must be IPsec-protected.)

For static crypto map entries, if outbound traffic matches a permit statement in an access list and thecorresponding SA is not yet established, the router initiates new SAs with the remote peer. In the case ofdynamic crypto map entries, if no SA exists, the traffic would simply be dropped (because dynamic cryptomaps are not used for initiating new SAs).

Use care when using the any keyword in permit entries in dynamic crypto maps. If the traffic coveredby such a permit entry can include multicast or broadcast traffic, the access list should include denyentries for the appropriate address range. Access lists should also include deny entries for network andsubnet broadcast traffic, and for any other traffic that should not be IPsec protected.

Note

Tunnel Endpoint Discovery

Defining a dynamic crypto map allows only the receiving router to dynamically determine an IPsec peer.Tunnel Endpoint Discovery (TED) allows the initiating router to dynamically determine an IPsec peer forsecure IPsec communications.

Dynamic TED helps to simplify the IPsec configuration on individual routers within a large network. Eachnode has a simple configuration that defines the local network that the router is protecting and the requiredIPsec transforms.

To have a large, fully-meshed network without TED, each peer needs to have static crypto maps to everyother peer in the network. For example, if there are 100 peers in a large, fully-meshed network, each routerneeds 99 static crypto maps for each of its peers. With TED, only a single dynamic TED-enabled crypto mapis needed because the peer is discovered dynamically. Thus, static crypto maps do not need to be configuredfor each peer.

TED only helps in discovering peers and does not function any differently than normal IPsec. TED doesnot improve the scalability of IPsec (in terms of performance or the number of peers or tunnels).

Note

The figure below and the corresponding steps explain a sample TED network topology.

Figure 4: Tunnel Endpoint Discovery Sample Network Topology



SUMMARY STEPS

1. Host A sends a packet that is destined for Host B.2. Router 1 intercepts and reads the packet. According to the IKE policy, Router 1 contains the following

information: the packet must be encrypted, there are no SAs for the packet, and TED is enabled. Thus,Router 1 drops the packet and sends a TED probe into the network. (The TED probe contains the IP addressof Host A (as the source IP address) and the IP address of Host B (as the destination IP address) embeddedin the payload.

3. Router 2 intercepts the TED probe and checks the probe against the ACLs that it protects; after the probematches an ACL, it is recognized as a TED probe for proxies that the router protects. The probe then sendsa TED reply with the IP address of Host B (as the source IP address) and the IP address of Host A (as thedestination IP address) embedded in the payload.

4. Router 1 intercepts the TED reply and checks the payloads for the IP address and half proxy of Router 2.It then combines the source side of its proxy with the proxy found in the second payload and initiates anIKE session with Router 2; thereafter, Router 1 initiates an IPsec session with Router 2.

DETAILED STEPS

Step 1 Host A sends a packet that is destined for Host B.Step 2 Router 1 intercepts and reads the packet. According to the IKE policy, Router 1 contains the following information: the

packet must be encrypted, there are no SAs for the packet, and TED is enabled. Thus, Router 1 drops the packet andsends a TED probe into the network. (The TED probe contains the IP address of Host A (as the source IP address) andthe IP address of Host B (as the destination IP address) embedded in the payload.

Step 3 Router 2 intercepts the TED probe and checks the probe against the ACLs that it protects; after the probe matches anACL, it is recognized as a TED probe for proxies that the router protects. The probe then sends a TED reply with the IPaddress of Host B (as the source IP address) and the IP address of Host A (as the destination IP address) embedded inthe payload.

Step 4 Router 1 intercepts the TED reply and checks the payloads for the IP address and half proxy of Router 2. It then combinesthe source side of its proxy with the proxy found in the second payload and initiates an IKE session with Router 2;thereafter, Router 1 initiates an IPsec session with Router 2.

IKE cannot occur until the peer isidentified.

Note

What to Do Next

TED Versions

The following table lists the available TED versions:

DescriptionFirst Available ReleaseVersion

Performs basic TED functionalityon nonredundant networks.

12.0(5)TTEDv1



DescriptionFirst Available ReleaseVersion

Enhanced to work with redundantnetworks with paths throughmultiple security gateways betweenthe source and the destination.

12.1MTEDv2

Enhanced to allow non-IP-relatedentries to be used in the access list.

12.2MTEDv3

TED Restrictions

TED has the following restrictions:

• It is Cisco proprietary.

• It is available only on dynamic crypto maps. (The dynamic crypto map template is based on the dynamiccrypto map performing peer discovery. Although there are no access-list restrictions on the dynamiccrypto map template, the dynamic crypto map template should cover data sourced from the protectedtraffic and the receiving router using the any keyword. When using the any keyword, include explicitdeny statements to exempt routing protocol traffic prior to entering the permit any command.

• TED works only in tunnel mode; that is, it does not work in transport mode.

• It is limited by the performance and scalability of the limitation of IPsec on each individual platform.

Enabling TED slightly decreases the general scalability of IPsec because of the set-upoverhead of peer discovery, which involves an additional “round-trip” of IKE messages(TED probe and reply). Although minimal, the additional memory used to store datastructures during the peer discovery stage adversely affects the general scalability ofIPsec.

Note

• IP addresses must be routed within the network.

• The access list used in the crypto map for TED can only contain IP-related entries—TCP, UDP, or otherprotocols cannot be used in the access list.

This restriction is no longer applicable in TEDv3.Note

Redundant Interfaces Sharing the Same Crypto MapFor redundancy, you could apply the same crypto map set to more than one interface. The default behavioris as follows:

• Each interface has its own piece of the security association database.

• The IP address of the local interface is used as the local address for IPsec traffic originating from ordestined to that interface.



If you apply the same crypto map set to multiple interfaces for redundancy purposes, you must specify anidentifying interface. One suggestion is to use a loopback interface as the identifying interface. This has thefollowing effects:

• The per-interface portion of the IPsec security association database is established one time and sharedfor traffic through all the interfaces that share the same crypto map.

• The IP address of the identifying interface is used as the local address for IPsec traffic originating fromor destined to those interfaces sharing the same crypto map set.

Establish Manual SAsThe use of manual security associations is a result of a prior arrangement between the users of the local routerand the IPsec peer. The two parties may begin with manual SAs and then move to using SAs established viaIKE, or the remote party’s system may not support IKE. If IKE is not used for establishing SAs, there is nonegotiation of SAs, so the configuration information in both systems must be the same in order for traffic tobe processed successfully by IPsec.

The local router can simultaneously support manual and IKE-established SAs, even within a single cryptomap set.

There is very little reason to disable IKE on the local router (unless the router only supports manual SAs,which is unlikely).

Access lists for crypto map entries tagged as ipsec-manual are restricted to a single permit entry andsubsequent entries are ignored. In other words, the SAs established by that particular crypto map entryare only for a single data flow. To support multiple manually established SAs for different kinds of traffic,define multiple crypto access lists, and apply each one to a separate ipsec-manual crypto map entry. Eachaccess list should include one permit statement defining what traffic to protect.

Note

How to Configure IPsec VPNs

Creating Crypto Access Lists

SUMMARY STEPS

1. enable2. configure terminal3. Do one of the following:

• access-list access-list-number {deny | permit} protocol source source-wildcard destinationdestination-wildcard [log]

• ip access-list extended name

4. Repeat Step 3 for each crypto access list you want to create.


Configuring Security for VPNs with IPsecHow to Configure IPsec VPNs

DETAILED STEPS

PurposeCommand or Action

Enables privileged EXEC mode.enableStep 1

Example:Device> enable

• Enter your password if prompted.

Enters global configuration mode.configure terminal

Example:Device# configure terminal

Step 2

Specifies conditions to determinewhich IP packets are protected.Do one of the following:Step 3

• access-list access-list-number {deny | permit}protocol source source-wildcard destinationdestination-wildcard [log]

• You specify conditions using an IP access list designatedby either a number or a name. The access-list commanddesignates a numbered extended access list; the ipaccess-list extended command designates a named accesslist.• ip access-list extended name

• Enable or disable crypto for traffic that matches theseconditions.Example:

Device(config)# access-list 100 permit ip10.0.68.0 0.0.0.255 10.1.1.0 0.0.0.255 Cisco recommends that you configure “mirror image”

crypto access lists for use by IPsec and that you avoidusing the any keyword.

Tip

Example:Device(config)# ip access-list extendedvpn-tunnel

—Repeat Step 3 for each crypto access list you want tocreate.

Step 4

What to Do NextAfter at least one crypto access list is created, a transform set needs to be defined as described in the“Configuring Transform Sets for IKEv1 and IKEv2 Proposals” section.Next the crypto access lists need to be associated to particular interfaces when you configure and apply cryptomap sets to the interfaces. (Follow the instructions in the “Creating Crypto Map Sets” and “Applying CryptoMap Sets to Interfaces” sections).

Configuring Transform Sets for IKEv1 and IKEv2 ProposalsPerform this task to define a transform set that is to be used by the IPsec peers during IPsec security associationnegotiations with IKEv1 and IKEv2 proposals.


Configuring Security for VPNs with IPsecConfiguring Transform Sets for IKEv1 and IKEv2 Proposals

RestrictionsIf you are specifying SEAL encryption, note the following restrictions:

• Your router and the other peer must not have a hardware IPsec encryption.

• Your router and the other peer must support IPsec.

• Your router and the other peer must support the k9 subsystem.

• SEAL encryption is available only on Cisco equipment. Therefore, interoperability is not possible.

• Unlike IKEv1, the authentication method and SA lifetime are not negotiable in IKEv2, and because ofthis, these parameters cannot be configured under the IKEv2 proposal.

Configuring Transform Sets for IKEv1

SUMMARY STEPS

1. enable2. configure terminal3. crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]4. mode [tunnel | transport]5. end6. clear crypto sa [peer {ip-address | peer-name} | samapmap-name | sa entry destination-address protocol

spi]7. show crypto ipsec transform-set [tag transform-set-name]

DETAILED STEPS







Step 2

Defines a transform set and enters crypto transform configurationmode.crypto ipsec transform-set transform-set-nametransform1 [transform2 [transform3]]

Step 3

• There are complex rules defining the entries that you can use fortransform arguments. These rules are explained in the command

Example:Device(config)# crypto ipsectransform-set aesset esp-aes 256esp-sha-hmac

description for the crypto ipsec transform-set command, andthe table in “About Transform Sets” section provides a list ofallowed transform combinations.




(Optional) Changes the mode associated with the transform set.mode [tunnel | transport]Step 4

Example:Device(cfg-crypto-tran)# mode transport

• The mode setting is applicable only to traffic whose source anddestination addresses are the IPsec peer addresses; it is ignoredfor all other traffic. (All other traffic is in tunnel mode only.)

Exits crypto transform configurationmode and enters privileged EXECmode.

end

Example:Device(cfg-crypto-tran)# end

Step 5

(Optional) Clears existing IPsec security associations so that anychanges to a transform set takes effect on subsequently establishedsecurity associations.

clear crypto sa [peer {ip-address | peer-name}| sa map map-name | sa entrydestination-address protocol spi]

Step 6

Example:Device# clear crypto sa

Manually established SAs are reestablished immediately.

• Using the clear crypto sa command without parameters clearsout the full SA database, which clears out active security sessions.

• You may also specify the peer,map, or entry keywords to clearout only a subset of the SA database.

(Optional) Displays the configured transform sets.show crypto ipsec transform-set [tagtransform-set-name]

Step 7

Example:Device# show crypto ipsec transform-set

What to Do Next

After you have defined a transform set, you should create a crypto map as specified in the “Creating CryptoMap Sets” section.




SUMMARY STEPS

1. enable2. configure terminal3. crypto ikev2 proposal proposal-name4. encryption transform1 [transform2] ...5. integrity transform1 [transform2] ...6. group transform1 [transform2] ...7. end8. show crypto ikev2 proposal

DETAILED STEPS







Step 2

Specifies the name of the proposal and enters crypto IKEv2 proposalconfiguration mode.

crypto ikev2 proposal proposal-name

Example:Device(config)# crypto ikev2proposal proposal-1

Step 3

• The proposals are referred in IKEv2 policies through the proposalname.

(Optional) Specifies one or more transforms of the following encryptiontype:

encryption transform1 [transform2] ...

Example:Device(config-ikev2-proposal)#encryption aes-cbc-128

Step 4

• AES-CBC 128—128-bit AES-CBC



• 3DES—168-bit DES (No longer recommended. AES is therecommended encryption algorithm).

(Optional) Specifies one or more transforms of the following integrity type:integrity transform1 [transform2] ...Step 5

Example:Device(config-ikev2-proposal)#integrity sha1

• The sha256 keyword specifies SHA-2 family 256-bit (HMAC variant)as the hash algorithm.





• The sha512 keyword specifies SHA-2 family 512-bit (HMAC variant)as the hash algorithm

• the sha1 keyword specifies the SHA-1 (HMAC variant) as the hashalgorithm.

• Themd5 keyword specifies MD5 (HMAC variant) as the hashalgorithm. (No longer recommended. SHA-1 is the recommendedreplacement.)

(Optional) Specifies one or more transforms of the possible DH group type:group transform1 [transform2] ...Step 6

Example:Device(config-ikev2-proposal)# group14

• 1—768-bit DH (No longer recommended.)

• 2—1024-bit DH (No longer recommended)


• 14—Specifies the 2048-bit DH group.



• 19—Specifies the 256-bit elliptic curve DH (ECDH) group.

• 20—Specifies the 384-bit ECDH group.

• 24—Specifies the 2048-bit DH/DSA group.

Exits crypto IKEv2 proposal configuration mode and returns to privilegedEXEC mode.

end

Example:Device(config-ikev2-proposal)# end

Step 7

(Optional) Displays the parameters for each IKEv2 proposal.show crypto ikev2 proposal

Example:Device# show crypto ikev2 proposal

Step 8

Transform Sets for IKEv2 Examples

The following examples show how to configure a proposal:

IKEv2 Proposal with One Transform for Each Transform Type

Device(config)# crypto ikev2 proposal proposal-1Device(config-ikev2-proposal)# encryption aes-cbc-128



Device(config-ikev2-proposal)# integrity sha1Device(config-ikev2-proposal)# group 14

IKEv2 Proposal with Multiple Transforms for Each Transform Type

crypto ikev2 proposal proposal-2encryption aes-cbc-128 aes-cbc-192integrity sha1 sha256group 14 15For a list of transform combinations, see Configuring Security for VPNs with IPsec.

IKEv2 Proposals on the Initiator and Responder

The proposal of the initiator is as follows:

Device(config)# crypto ikev2 proposal proposal-1Device(config-ikev2-proposal)# encryption aes-cbc-128 aes-cbc-196Device(config-ikev2-proposal)# integrity sha1 sha256Device(config-ikev2-proposal)# group 14 16The proposal of the responder is as follows:

Device(config)# crypto ikev2 proposal proposal-2Device(config-ikev2-proposal)# encryption aes-cbc-196 aes-cbc-128Device(config-ikev2-proposal)# integrity sha256 sha1Device(config-ikev2-proposal)# group 16 14In the scenario, the initiator’s choice of algorithms is preferred and the selected algorithms are as follows:

encryption aes-cbc-128integrity sha1group 14

What to Do Next

After you have defined a transform set, you should create a crypto map as specified in the “Creating CryptoMap Sets” section.

Creating Crypto Map Sets

Creating Static Crypto MapsWhen IKE is used to establish SAs, the IPsec peers can negotiate the settings they use for the new securityassociations. This means that you can specify lists (such as lists of acceptable transforms) within the cryptomap entry.

Perform this task to create crypto map entries that use IKE to establish SAs. To create IPv6 crypto map entries,you must use the ipv6 keyword with the crypto map command. For IPv4 crypto maps, use the crypto mapcommand without the ipv6 keyword.


Note


Configuring Security for VPNs with IPsecCreating Crypto Map Sets

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-cfg-vpn-ipsec.html#GUID-0337AA98-9BCD-4F2C-90C4-5B45690C203B



SUMMARY STEPS

1. enable2. configure terminal3. crypto map [ipv6] map-name seq-num [ipsec-isakmp]4. match address access-list-id5. set peer {hostname | ip-address}6. crypto ipsec security-association dummy {pps rate | seconds seconds}7. set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]8. set security-association lifetime {seconds seconds | kilobytes kilobytes | kilobytes disable}9. set security-association level per-host10. set pfs [group1 | group14 | group15 | group16 | group19 | group2 | group20 | group24 | group5]11. end12. show crypto map [interface interface | tag map-name]

DETAILED STEPS







Step 2

Creates or modifies a crypto map entry, and enters crypto mapconfiguration mode.

crypto map [ipv6] map-name seq-num[ipsec-isakmp]

Step 3

Example:Device(config)# crypto map static-map 1ipsec-isakmp

• For IPv4 crypto maps, use the command without the ipv6keyword.

Names an extended access list.match address access-list-idStep 4

Example:Device(config-crypto-m)# match addressvpn-tunnel

• This access list determines the traffic that should be protectedby IPsec and the traffic that should not be protected by IPsecsecurity in the context of this crypto map entry.

Specifies a remote IPsec peer—the peer to which IPsec protectedtraffic can be forwarded.

set peer {hostname | ip-address}

Example:Device(config-crypto-m)# set-peer192.168.101.1

Step 5

• Repeat for multiple remote peers.




Enables generating dummy packets. These dummy packets aregenerated for all flows created in the crypto map.

crypto ipsec security-association dummy {ppsrate | seconds seconds}

Example:Device(config-crypto-m)# setsecurity-association dummy seconds 5

Step 6

Specifies the transform sets that are allowed for this crypto map entry.set transform-set transform-set-name1[transform-set-name2...transform-set-name6]

Step 7

• List multiple transform sets in the order of priority (highestpriority first).

Example:Device(config-crypto-m)# settransform-set aesset

(Optional) Specifies a SA lifetime for the crypto map entry.set security-association lifetime {secondsseconds | kilobytes kilobytes | kilobytes disable}

Step 8

• By default, the SAs of the crypto map are negotiated accordingto the global lifetimes, which can be disabled.

Example:Device (config-crypto-m)# setsecurity-association lifetime seconds2700

(Optional) Specifies that separate SAs should be established for eachsource and destination host pair.

set security-association level per-host

Example:Device(config-crypto-m)# setsecurity-association level per-host

Step 9

• By default, a single IPsec “tunnel” can carry traffic for multiplesource hosts and multiple destination hosts.

Use this command with care because multiple streamsbetween given subnets can rapidly consume resources.

Caution

(Optional) Specifies that IPsec either should ask for password forwardsecrecy (PFS) when requesting new SAs for this crypto map entry orshould demand PFS in requests received from the IPsec peer.

set pfs [group1 | group14 | group15 | group16| group19 | group2 | group20 | group24 |group5]

Step 10

Example:Device(config-crypto-m)# set pfs group14

• Group 1 specifies the 768-bit Diffie-Hellman (DH) identifier(default). (No longer recommended).

• Group 2 specifies the 1024-bit DH identifier. (No longerrecommended).

• Group 5 specifies the 1536-bit DH identifier. (No longerrecommended)

• Group 14 specifies the 2048-bit DH identifier.



• Group 19 specifies the 256-bit elliptic curve DH (ECDH)identifier.

• Group 20 specifies the 384-bit ECDH identifier.




• Group 24 specifies the 2048-bit DH/DSA identifier

• By default, PFS is not requested. If no group is specified withthis command, group 1 is used as the default.

Exits crypto map configuration mode and returns to privileged EXECmode.

end

Example:Device(config-crypto-m)# end

Step 11

Displays your crypto map configuration.show crypto map [interface interface | tagmap-name]

Step 12

Example:Device# show crypto map

Troubleshooting Tips

Certain configuration changes take effect only when negotiating subsequent SAs. If you want the new settingsto take immediate effect, you must clear the existing SAs so that they are reestablished with the changedconfiguration. If the router is actively processing IPsec traffic, clear only the portion of the SA database thatwould be affected by the configuration changes (that is, clear only the SAs established by a given crypto mapset). Clearing the full SA database should be reserved for large-scale changes, or when the router is processingvery little other IPsec traffic.

To clear IPsec SAs, use the clear crypto sa command with appropriate parameters. (Omitting all parametersclears out the full SA database, which clears active security sessions.)

What to Do Next

After you have successfully created a static crypto map, you must apply the crypto map set to each interfacethrough which IPsec traffic flows. To complete this task, see the “Applying Crypto Map Sets to Interfaces”section.

Creating Dynamic Crypto MapsDynamic crypto map entries specify crypto access lists that limit traffic for which IPsec SAs can be established.A dynamic crypto map entry that does not specify an access list is ignored during traffic filtering. A dynamiccrypto map entry with an empty access list causes traffic to be dropped. If there is only one dynamic cryptomap entry in the crypto map set, it must specify the acceptable transform sets.

Perform this task to create dynamic crypto map entries that use IKE to establish the SAs.

IPv6 addresses are not supported on dynamic crypto maps.Note




Note

SUMMARY STEPS

1. enable2. configure terminal3. crypto dynamic-map dynamic-map-name dynamic-seq-num4. set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]5. match address access-list-id6. set peer {hostname | ip-address}7. set security-association lifetime {seconds seconds | kilobytes kilobytes | kilobytes disable}8. set pfs [group1 | group14 | group15 | group16 | group19 | group2 | group20 | group24 | group5]9. exit10. exit11. show crypto dynamic-map [tag map-name]12. configure terminal13. crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name [discover]14. exit

DETAILED STEPS







Step 2

Creates a dynamic crypto map entry and enters crypto map configurationmode.

crypto dynamic-map dynamic-map-namedynamic-seq-num

Example:Device(config)# crypto dynamic-maptest-map 1

Step 3

Specifies the transform sets allowed for the crypto map entry.set transform-set transform-set-name1[transform-set-name2...transform-set-name6]

Step 4






• List multiple transform sets in the order of priority (highest priorityfirst). This is the only configuration statement required in dynamiccrypto map entries.


(Optional) Specifies the list number or name of an extended access list.match address access-list-idStep 5

Example:Device(config-crypto-m)# match address101

• This access list determines which traffic should be protected by IPsecand which traffic should not be protected by IPsec security in thecontext of this crypto map entry.

Although access lists are optional for dynamic crypto maps, theyare highly recommended.

Note

• If an access list is configured, the data flow identity proposed by theIPsec peer must fall within a permit statement for this crypto accesslist.

• If an access list is not configured, the device accepts any data flowidentity proposed by the IPsec peer. However, if an access list isconfigured but the specified access list does not exist or is empty,the device drops all packets. This is similar to static crypto maps,which require access lists to be specified.

• Care must be taken if the any keyword is used in the access list,because the access list is used for packet filtering as well as fornegotiation.

• You must configure a match address; otherwise, the behavior is notsecure, and you cannot enable TED because packets are sent in theclear (unencrypted.)

(Optional) Specifies a remote IPsec peer. Repeat this step for multipleremote peers.


Example:Device(config-crypto-m)# set peer192.168.101.1

Step 6

This is rarely configured in dynamic crypto map entries. Dynamiccrypto map entries are often used for unknown remote peers.

Note

(Optional) Overrides (for a particular crypto map entry) the global lifetimevalue, which is used when negotiating IP Security SAs.

set security-association lifetime {secondsseconds | kilobytes kilobytes | kilobytesdisable}

Step 7

To minimize the possibility of packet loss when rekeying in highbandwidth environments, you can disable the rekey requesttriggered by a volume lifetime expiry.

Note

Example:Device(config-crypto-m)# setsecurity-association lifetime seconds7200

(Optional) Specifies that IPsec should ask for PFS when requesting newsecurity associations for this crypto map entry or should demand PFS inrequests received from the IPsec peer.

set pfs [group1 | group14 | group15 |group16 | group19 | group2 | group20 |group24 | group5]

Step 8




Example:Device(config-crypto-m)# set pfsgroup14







• Group 19 specifies the 256-bit elliptic curve DH (ECDH) identifier.



• By default, PFS is not requested. If no group is specified with thiscommand, group1 is used as the default.

Exits crypto map configuration mode and returns to global configurationmode.

exit

Example:Device(config-crypto-m)# exit

Step 9

Exits global configuration mode.exit

Example:Device(config)# exit

Step 10

(Optional) Displays information about dynamic crypto maps.show crypto dynamic-map [tagmap-name]

Example:Device# show crypto dynamic-map

Step 11



Step 12

(Optional) Adds a dynamic crypto map to a crypto map set.crypto map map-name seq-numipsec-isakmp dynamic dynamic-map-name[discover]

Step 13

• You should set the crypto map entries referencing dynamic maps tothe lowest priority entries in a crypto map set.

Example:Device(config)# crypto map static-map1 ipsec-isakmp dynamic test-mapdiscover

You must enter the discover keyword to enableTED.

Note






Step 14


Certain configuration changes take effect only when negotiating subsequent SAs. If you want the new settingsto take immediate effect, you must clear the existing SAs so that they are reestablished with the changedconfiguration. If the router is actively processing IPsec traffic, clear only the portion of the SA database thatwould be affected by the configuration changes (that is, clear only the SAs established by a given crypto mapset). Clearing the entire SA database must be reserved for large-scale changes, or when the router is processingminimal IPsec traffic.

To clear IPsec SAs, use the clear crypto sa command with appropriate parameters. (Omitting all parametersclears the full SA database, which clears active security sessions.)

What to Do Next

After you have successfully created a crypto map set, you must apply the crypto map set to each interfacethrough which IPsec traffic flows. To complete this task, see the “Applying Crypto Map Sets to Interfaces”section.

Creating Crypto Map Entries to Establish Manual SAsPerform this task to create crypto map entries to establish manual SAs (that is, when IKE is not used to establishthe SAs). To create IPv6 crypto maps entries, you must use the ipv6 keyword with the crypto map command.For IPv4 crypto maps, use the crypto map command without the ipv6 keyword.



SUMMARY STEPS

1. enable2. configure terminal3. crypto map [ipv6] map-name seq-num [ipsec-manual]4. match address access-list-id5. set peer {hostname | ip-address}6. set transform-set transform-set-name7. Do one of the following:

• set session-key inbound ah spi hex-key-string

• set session-key outbound ah spi hex-key-string

8. Do one of the following:

• set session-key inbound esp spi cipher hex-key-string [authenticator hex-key-string]

• set session-key outbound esp spi cipher hex-key-string [authenticator hex-key-string]

9. exit10. exit11. show crypto map [interface interface | tag map-name]

DETAILED STEPS







Step 2

Specifies the crypto map entry to be created or modified andenters crypto map configuration mode.

crypto map [ipv6] map-name seq-num[ipsec-manual]

Step 3

Example:Device(config)# crypto map mymap 10ipsec-manual

• For IPv4 crypto maps, use the crypto map commandwithout the ipv6 keyword.

Names an IPsec access list that determines which traffic shouldbe protected by IPsec and which traffic should not be protectedby IPsec in the context of this crypto map entry.

match address access-list-id

Example:Device(config-crypto-m)# match address 102

Step 4




• The access list can specify only one permit entry whenIKE is not used.

Specifies the remote IPsec peer. This is the peer to which IPsecprotected traffic should be forwarded.


Example:Device(config-crypto-m)# set peer 10.0.0.5

Step 5

• Only one peer can be specified when IKE is not used.

Specifies which transform set should be used.set transform-set transform-set-nameStep 6

Example:Device(config-crypto-m)# set transform-setsomeset

• This must be the same transform set that is specified in theremote peer’s corresponding crypto map entry.

Only one transform set can be specified when IKE isnot used.

Note

Sets the AH security parameter indexes (SPIs) and keys to applyto inbound and outbound protected traffic if the specifiedtransform set includes the AH protocol.

Do one of the following:Step 7

• set session-key inbound ah spi hex-key-string

• set session-key outbound ah spi hex-key-string • This manually specifies the AH security association to beused with protected traffic.

Example:Device(config-crypto-m)# set session-keyinbound ah 25698765432109876549876543210987654

Example:Device(config-crypto-m)# set session-keyoutbound ah 256fedcbafedcbafedcfedcbafedcbafedc

Sets the Encapsulating Security Payload (ESP) Security ParameterIndexes (SPI) and keys to apply to inbound and outbound

Do one of the following:Step 8

• set session-key inbound esp spi cipherhex-key-string [authenticator hex-key-string]

protected traffic if the specified transform set includes the ESPprotocol.

• set session-key outbound esp spi cipherhex-key-string [authenticator hex-key-string]

Or

Specifies the cipher keys if the transform set includes an ESPcipher algorithm. Specifies the authenticator keys if the transformset includes an ESP authenticator algorithm.

Example:Device(config-crypto-m)# set session-keyinbound esp 256 cipher 0123456789012345

• This manually specifies the ESP security association to beused with protected traffic.

Example:Device(config-crypto-m)# set session-keyoutbound esp 256 cipher abcdefabcdefabcd




Exits crypto map configuration mode and returns to globalconfiguration mode.

exit

Example:Device(config-crypto-m)# exit

Step 9



Step 10


Step 11



For manually established SAs, you must clear and reinitialize the SAs for the changes to take effect. To clearIPsec SAs, use the clear crypto sa command with appropriate parameters. (Omitting all parameters clearsthe entire SA database, which clears active security sessions.)

What to Do Next

After you have successfully created a crypto map set, you must apply the crypto map set to each interfacethrough which IPsec traffic flows. To complete this task, see the “Applying Crypto Map Sets to Interfaces”section.

Applying Crypto Map Sets to InterfacesYou must apply a crypto map set to each interface through which IPsec traffic flows. Applying the cryptomap set to an interface instructs the device to evaluate the interface’s traffic against the crypto map set and touse the specified policy during connection or security association negotiation on behalf of traffic to be protectedby the crypto map.

Perform this task to apply a crypto map to an interface.


Configuring Security for VPNs with IPsecApplying Crypto Map Sets to Interfaces

SUMMARY STEPS

1. enable2. configure terminal3. interface type/number4. crypto map map-name5. exit6. crypto map map-name local-address interface-id7. exit8. show crypto map [interface interface]

DETAILED STEPS







Step 2

Configures an interface and enters interface configurationmode.

interface type/number

Example:Device(config)# interface FastEthernet 0/0

Step 3

Applies a crypto map set to an interface.crypto map map-name

Example:Device(config-if)# crypto map mymap

Step 4

Exits interface configuration mode and returns to globalconfiguration mode.

exit

Example:Device(config-if)# exit

Step 5

(Optional) Permits redundant interfaces to share the samecrypto map using the same local identity.

crypto map map-name local-address interface-id

Example:Device(config)# crypto map mymap local-addressloopback0

Step 6

(Optional) Exits global configuration mode.exit


Step 7


Configuring Security for VPNs with IPsecApplying Crypto Map Sets to Interfaces


(Optional) Displays your crypto map configurationshow crypto map [interface interface]


Step 8

Configuration Examples for IPsec VPN

Example: Configuring AES-Based Static Crypto MapThis example shows how a static crypto map is configured and how an AES is defined as the encryptionmethod:

crypto isakmp policy 10encryption aes 256authentication pre-sharegroup 14lifetime 180crypto isakmp key cisco123 address 10.0.110.1!!crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmacmode transport!crypto map aesmap 10 ipsec-isakmpset peer 10.0.110.1set transform-set aessetmatch address 120!!!voice call carrier capacity active!!mta receive maximum-recipients 0!!interface FastEthernet0/0ip address 10.0.110.2 255.255.255.0ip nat outsideno ip route-cacheno ip mroute-cacheduplex autospeed autocrypto map aesmap!interface Serial0/0no ip addressshutdown!interface FastEthernet0/1ip address 10.0.110.1 255.255.255.0ip nat insideno ip route-cacheno ip mroute-cacheduplex autospeed auto


Configuring Security for VPNs with IPsecConfiguration Examples for IPsec VPN

!ip nat inside source list 110 interface FastEthernet0/0 overloadip classlessip route 0.0.0.0 0.0.0.0 10.5.1.1ip route 10.0.110.0 255.255.255.0 FastEthernet0/0ip route 172.18.124.0 255.255.255.0 10.5.1.1ip route 172.18.125.3 255.255.255.255 10.5.1.1ip http server!!access-list 110 deny ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255access-list 110 permit ip 10.0.110.0 0.0.0.255 anyaccess-list 120 permit ip 10.0.110.0 0.0.0.255 10.0.110.0 0.0.0.255!

Additional ReferencesRelated Documents

Document TitleRelated Topic

Cisco IOS Master Commands List, All ReleasesCisco IOS commands

• Cisco IOS Security Command ReferenceCommands A to C

• Cisco IOS Security Command ReferenceCommands D to L

• Cisco IOS Security Command ReferenceCommands M to R

• Cisco IOS Security Command ReferenceCommands S to Z

IKE, IPsec, and PKI configuration commands:complete command syntax, commandmode, defaults,usage guidelines, and examples

Configuring Internet Key Exchange for IPsec VPNsIKE configuration

Security for VPNs with IPsec Configuration GuideIPsec Virtual Tunnel Interfaces

Internet Key Exchange for IPsec VPNs ConfigurationGuide

VRF-Aware IPsec


Internet Key Exchange for IPsec VPNs


Encrypted Preshared Key

Configuring Internet Key Exchange Version 2 (IKEv2)Suite-B Integrity algorithm type transformconfiguration

Configuring Certificate Enrollment for a PKISuite-B support for certificate enrollment for a PKI


Configuring Security for VPNs with IPsecAdditional References

http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-a1-cr-book.html


http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-d1-cr-book.html


http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec-m1-cr-book.html


http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-s1-cr-book.html


http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-ike-for-ipsec-vpns-xe-16-book/sec-key-exch-ipsec.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16/sec-sec-for-vpns-w-ipsec-xe-16-book.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-ike-for-ipsec-vpns-xe-16-book/sec-vrf-aware-ipsec.html






Standards

TitleStandards

—None

MIBs

MIBs LinkMIBs

To locate and downloadMIBs for selected platforms,Cisco IOS software releases, and feature sets, useCisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

• CISCO-IPSEC-FLOW-MONITOR- MIB

• CISCO-IPSEC-MIB

• CISCO-IPSEC-POLICY-MAP-MIB

RFCs

TitleRFCs

Security Architecture for the Internet ProtocolRFC 2401

IP Authentication HeaderRFC 2402

The Use of HMAC-MD5-96 within ESP and AHRFC 2403

The Use of HMAC-SHA-1-96 within ESP and AHRFC 2404

The ESP DES-CBC Cipher Algorithm With ExplicitIV

RFC 2405

IP Encapsulating Security Payload (ESP)RFC 2406

The Internet IP Security Domain of Interpretation forISAKMP

RFC 2407

Internet Security Association and Key ManagementProtocol (ISAKMP)

RFC 2408


Configuring Security for VPNs with IPsecAdditional References

Technical Assistance

LinkDescription

http://www.cisco.com/cisco/web/support/index.htmlThe Cisco Support and Documentation websiteprovides online resources to download documentation,software, and tools. Use these resources to install andconfigure the software and to troubleshoot and resolvetechnical issues with Cisco products and technologies.Access to most tools on the Cisco Support andDocumentation website requires a Cisco.com user IDand password.

Feature Information for Configuring Security for VPNs withIPsec

The following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.


Table 4: Feature Information for Configuring Security for IPsec VPNs

Feature InformationSoftware ReleasesFeature Name

This feature adds support for thenew encryption standard AES,which is a privacy transform forIPsec and IKE and has beendeveloped to replace DES.

The following commands weremodified by this feature: cryptoipsec transform-set, encryption(IKE policy), show crypto ipsectransform-set, show cryptoisakmp policy.

Advanced Encryption Standard


Configuring Security for VPNs with IPsecFeature Information for Configuring Security for VPNs with IPsec

http://www.cisco.com/cisco/web/support/index.html


Feature InformationSoftware ReleasesFeature Name

Suite-B adds support for four userinterface suites of cryptographicalgorithms for use with IKE andIPSec that are described in RFC4869. Each suite consists of anencryption algorithm, a digitalsignature algorithm, a keyagreement algorithm, and a hashor message digest algorithm.

The following command wasmodified by this feature: cryptoipsec transform-set.

Suite-B Support in IOS SWCrypto





C H A P T E R 2IPsec Virtual Tunnel Interfaces

IPsec virtual tunnel interfaces (VTIs) provide a routable interface type for terminating IPsec tunnels and aneasy way to define protection between sites to form an overlay network. IPsec VTIs simplify the configurationof IPsec for protection of remote links, support multicast, and simplify network management and loadbalancing.


Note


• Restrictions for IPsec Virtual Tunnel Interfaces, page 48

• Information About IPsec Virtual Tunnel Interfaces, page 48

• How to Configure IPsec Virtual Tunnel Interfaces, page 52

• Configuration Examples for IPsec Virtual Tunnel Interfaces, page 56

• Additional References for IPsec Virtual Tunnel Interface, page 66

• Feature Information for IPsec Virtual Tunnel Interfaces, page 67








Restrictions for IPsec Virtual Tunnel InterfacesIPsec Transform Set

The IPsec transform set must be configured in tunnel mode only.

IKE Security Association

The Internet Key Exchange (IKE) security association (SA) is bound to the VTI.

IPsec SA Traffic Selectors

Static VTIs (SVTIs) support only a single IPsec SA that is attached to the VTI interface. The traffic selectorfor the IPsec SA is always “IP any any.”

IPv4

This feature supports SVTIs that are configured to encapsulate IPv4 packets .

Tunnel Protection

Do not configure the shared keyword when using the tunnelmode ipsec ipv4 command for IPsec IPv4mode.

Traceroute

The traceroute function with crypto offload on VTIs is not supported.

Information About IPsec Virtual Tunnel InterfacesThe use of IPsec VTIs can simplify the configuration process when you need to provide protection for remoteaccess and it provides an alternative to using generic routing encapsulation (GRE) or Layer 2 TunnelingProtocol (L2TP) tunnels for encapsulation. A benefit of using IPsec VTIs is that the configuration does notrequire static mapping of IPsec sessions to a physical interface. The IPsec tunnel endpoint is associated withan actual (virtual) interface. Because there is a routable interface at the tunnel endpoint, many common interfacecapabilities can be applied to the IPsec tunnel.

The IPsec VTI allows for the flexibility of sending and receiving both IP unicast and multicast encryptedtraffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted or decrypted whenit is forwarded from or to the tunnel interface and is managed by the IP routing table. Using IP routing toforward the traffic to the tunnel interface simplifies the IPsec VPN configuration . Because DVTIs functionlike any other real interface you can apply quality of service (QoS), firewall, and other security services assoon as the tunnel is active.

The following sections provide details about the IPSec VTI:

Benefits of Using IPsec Virtual Tunnel InterfacesIPsec VTIs allow you to configure a virtual interface to which you can apply features. Features for clear-textpackets are configured on the VTI. Features for encrypted packets are applied on the physical outside interface.


IPsec Virtual Tunnel InterfacesRestrictions for IPsec Virtual Tunnel Interfaces

When IPsec VTIs are used, you can separate the application of features such as Network Address Translation(NAT), ACLs, and QoS and apply them to clear-text, or encrypted text, or both.

There are two types of VTI interfaces: static VTIs (SVTIs) and dynamic VTIs (DVTIs).

Static Virtual Tunnel InterfacesSVTI configurations can be used for site-to-site connectivity in which a tunnel provides always-on accessbetween two sites.

Additionally, multiple Cisco IOS software features can be configured directly on the tunnel interface and onthe physical egress interface of the tunnel interface. This direct configuration allows users to have solid controlon the application of the features in the pre- or post-encryption path.

The figure below illustrates how a SVTI is used.

Figure 5: IPsec SVTI

The IPsec VTI supports native IPsec tunneling and exhibits most of the properties of a physical interface.

Dynamic Virtual Tunnel InterfacesDVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The DVTI technologyreplaces dynamic crypto maps and the dynamic hub-and-spoke method for establishing tunnels.

You can configure DVTIs with IKEv1 or IKEv2. The legacy crypto map based configuration supportsDVTIs with IKEv1 only. A DVTI configuration with IKEv2 is supported only in FlexVPN.

Note

DVTIs can be used for both the server and the remote configuration. The tunnels provide an on-demandseparate virtual access interface for each VPN session. The configuration of the virtual access interfaces iscloned from a virtual template configuration, which includes the IPsec configuration and any Cisco IOSsoftware feature configured on the virtual template interface, such as QoS, NetFlow, or ACLs.

DVTIs function like any other real interface, so you can apply QoS, firewall, or other security services assoon as the tunnel is active. QoS features can be used to improve the performance of various applicationsacross the network. Any combination of QoS features offered in Cisco IOS software can be used to supportvoice, video, or data applications.


IPsec Virtual Tunnel InterfacesStatic Virtual Tunnel Interfaces

DVTIs provide efficiency in the use of IP addresses and provide secure connectivity. DVTIs allow dynamicallydownloadable per-group and per-user policies to be configured on a RADIUS server. The per-group or per-userdefinition can be created using an extended authentication (Xauth) User or Unity group, or can be derivedfrom a certificate. DVTIs are standards based, so interoperability in amultiple-vendor environment is supported.IPsec DVTIs allow you to create highly secure connectivity for remote access VPNs and can be combinedwith Cisco Architecture for Voice, Video, and Integrated Data (AVVID) to deliver converged voice, video,and data over IP networks. The DVTI simplifies VPN routing and forwarding- (VRF-) aware IPsec deployment.The VRF is configured on the interface.

A DVTI requires minimal configuration on the router. A single virtual template can be configured and cloned.

The DVTI creates an interface for IPsec sessions and uses the virtual template infrastructure for dynamicinstantiation andmanagement of dynamic IPsec VTIs. The virtual template infrastructure is extended to createdynamic virtual-access tunnel interfaces. DVTIs are used in hub-and-spoke configurations. A single DVTIcan support several static VTIs.

The figure below illustrates the DVTI authentication path.

Figure 6: Dynamic IPsec VTI

The authentication shown in the figure above follows this path:

1 User 1 calls the router.

2 Router 1 authenticates User 1.

3 IPsec clones the virtual access interface from the virtual template interface.

Dynamic Virtual Tunnel Interface Life CycleIPsec profiles define the policy for DVTIs. The dynamic interface is created at the end of IKE Phase 1 andIKE Phase 1.5. The interface is deleted when the IPsec session to the peer is closed. The IPsec session isclosed when both IKE and IPsec SAs to the peer are deleted.


IPsec Virtual Tunnel InterfacesDynamic Virtual Tunnel Interface Life Cycle

Routing with IPsec Virtual Tunnel InterfacesBecause VTIs are routable interfaces, routing plays an important role in the encryption process. Traffic isencrypted only if it is forwarded out of the VTI, and traffic arriving on the VTI is decrypted and routedaccordingly. VTIs allow you to establish an encryption tunnel using a real interface as the tunnel endpoint.You can route to the interface or apply services such as QoS, firewalls, network address translation (NAT),and NetFlow statistics as you would to any other interface. You can monitor the interface and route to it, andthe interface provides benefits similar to other Cisco IOS interface.

Traffic Encryption with the IPsec Virtual Tunnel InterfaceWhen an IPsec VTI is configured, encryption occurs in the tunnel. Traffic is encrypted when it is forwardedto the tunnel interface. Traffic forwarding is handled by the IP routing table, and dynamic or static routingcan be used to route traffic to the SVTI. DVTI uses reverse route injection to further simplify the routingconfigurations. Using IP routing to forward the traffic to encryption simplifies the IPsec VPN configuration. The IPsec virtual tunnel also allows you to encrypt multicast traffic with IPsec.

IPsec packet flow into the IPSec tunnel is illustrated in the figure below.

Figure 7: Packet Flow into the IPsec Tunnel

After packets arrive on the inside interface, the forwarding engine switches the packets to the VTI, wherethey are encrypted. The encrypted packets are handed back to the forwarding engine, where they are switchedthrough the outside interface.


IPsec Virtual Tunnel InterfacesRouting with IPsec Virtual Tunnel Interfaces

The figure below shows the packet flow out of the IPsec tunnel.

Figure 8: Packet Flow out of the IPsec Tunnel

How to Configure IPsec Virtual Tunnel Interfaces

Configuring Static IPsec Virtual Tunnel Interfaces

SUMMARY STEPS

1. enable2. configure terminal3. crypto IPsec profile profile-name4. set transform-set transform-set-name [transform-set-name2...transform-set-name6]5. exit6. interface type number7. ip address address mask8. tunnel mode ipsec ipv49. tunnel source interface-type interface-number10. tunnel destination ip-address11. tunnel protection IPsec profile profile-name12. end


IPsec Virtual Tunnel InterfacesHow to Configure IPsec Virtual Tunnel Interfaces

DETAILED STEPS



Example:

Device> enable



Example:

Device# configure terminal

Step 2

Defines the IPsec parameters that are to be used forIPsec encryption between two IPsec devices, and entersIPsec profile configuration mode.

crypto IPsec profile profile-name

Example:

Device(config)# crypto IPsec profile PROF

Step 3

Specifies which transform sets can be used .set transform-set transform-set-name[transform-set-name2...transform-set-name6]

Step 4

Example:

Device(ipsec-profile)# set transform-set tset

Exits IPsec profile configuration mode, and entersglobal configuration mode.

exit

Example:Device(ipsec-profile)# exit

Step 5

Specifies the interface on which the tunnel will beconfigured and enters interface configuration mode.

interface type number

Example:

Device(config)# interface tunnel 0

Step 6

Specifies the IP address and mask.ip address address mask

Example:

Device(config-if)# ip address 10.1.1.1255.255.255.0

Step 7

Defines the mode for the tunnel.tunnel mode ipsec ipv4

Example:Device(config-if)# tunnel mode ipsec ipv4

Step 8


IPsec Virtual Tunnel InterfacesConfiguring Static IPsec Virtual Tunnel Interfaces


Specifies the tunnel source as a loopback interface.tunnel source interface-type interface-number

Example:

Device(config-if)# tunnel source loopback 0

Step 9

Identifies the IP address of the tunnel destination.tunnel destination ip-address

Example:

Device(config-if)# tunnel destination 172.16.1.1

Step 10

Associates a tunnel interface with an IPsec profile.tunnel protection IPsec profile profile-name

Example:

Device(config-if)# tunnel protection IPsec profilePROF

Step 11

Exits interface configuration mode and returns toprivileged EXEC mode.

end

Example:Device(config-if)# end

Step 12

Configuring Dynamic IPsec Virtual Tunnel Interfaces

SUMMARY STEPS

1. enable2. configure terminal3. crypto ipsec profile profile-name4. set transform-set transform-set-name [transform-set-name2...transform-set-name6]5. exit6. interface virtual-template number type tunnel7. tunnel mode ipsec ipv48. tunnel protection IPsec profile profile-name9. exit10. crypto isakamp profile profile-name11. match identity address ip-address mask12. virtual template template-number13. end


IPsec Virtual Tunnel InterfacesConfiguring Dynamic IPsec Virtual Tunnel Interfaces

DETAILED STEPS







Step 2

Defines the IPsec parameters that are to be used for IPsecencryption between two IPsec devices and enters IPsecprofile configuration mode.

crypto ipsec profile profile-name

Example:Device(config)# crypto ipsec profile PROF

Step 3

Specifies which transform sets can be used with thecrypto map entry.

set transform-set transform-set-name[transform-set-name2...transform-set-name6]

Example:Device(ipsec-profile)# set transform-set tset

Step 4

Exits ipsec profile configurationmode and enters globalconfiguration mode.

exit

Example:Device(ipsec-profile)# exit

Step 5

Defines a virtual-template tunnel interface and entersinterface configuration mode.

interface virtual-template number type tunnel

Example:Device(config)# interface virtual-template 2 typetunnel

Step 6

Defines the mode for the tunnel.tunnel mode ipsec ipv4

Example:Device(config-if)# tunnel mode ipsec ipv4

Step 7

Associates a tunnel interface with an IPsec profile.tunnel protection IPsec profile profile-name

Example:Device(config-if)# tunnel protection ipsecprofile PROF

Step 8

Exits interface configuration mode.exit

Example:Device(config-if)# exit

Step 9


IPsec Virtual Tunnel InterfacesConfiguring Dynamic IPsec Virtual Tunnel Interfaces


Defines the ISAKMP profile to be used for the virtualtemplate.

crypto isakamp profile profile-name

Example:Device(config)# crypto isakamp profile profile1

Step 10

Matches an identity from the ISAKMP profile and entersisakmp-profile configuration mode.

match identity address ip-address mask

Example:Device(conf-isa-prof)# match identity address10.1.1.0 255.255.255.0

Step 11

Specifies the virtual template attached to the ISAKMPprofile.

virtual template template-number

Example:Device(config)# virtual-template 1

Step 12

Exits global configuration mode and enters privilegedEXEC mode.

end

Example:Device(config)# end

Step 13

Configuration Examples for IPsec Virtual Tunnel Interfaces

Example: Static Virtual Tunnel Interface with IPsecThe following example configuration uses a preshared key for authentication between peers. VPN traffic isforwarded to the IPsec VTI for encryption and then sent out the physical interface. The tunnel on subnet 10checks packets for the IPsec policy and passes them to the Crypto Engine (CE) for IPsec encapsulation. Thefigure below illustrates the IPsec VTI configuration.

Figure 9: VTI with IPsec

Router Configuration

version 12.3service timestamps debug datetimeservice timestamps log datetimehostname 7200-3no aaa new-modelip subnet-zeroip cefcontroller ISA 6/1!crypto isakmp policy 1encr aesauthentication pre-sharegroup 14


IPsec Virtual Tunnel InterfacesConfiguration Examples for IPsec Virtual Tunnel Interfaces

crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0crypto ipsec transform-set T1 esp-aes esp-sha-hmaccrypto ipsec profile P1set transform-set T1!interface Tunnel0ip address 10.0.51.203 255.255.255.0

load-interval 30tunnel source 10.0.149.203tunnel destination 10.0.149.217tunnel mode IPsec ipv4tunnel protection IPsec profile P1!

ip address 10.0.149.203 255.255.255.0duplex full!

ip address 10.0.35.203 255.255.255.0duplex full!ip classlessip route 10.0.36.0 255.255.255.0 Tunnel0line con 0line aux 0line vty 0 4end

Router Configuration

version 12.3hostname c1750-17no aaa new-modelip subnet-zeroip cefcrypto isakmp policy 1encr aesauthentication pre-sharegroup 14crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0crypto ipsec transform-set T1 esp-aes esp-sha-hmaccrypto ipsec profile P1set transform-set T1!interface Tunnel0ip address 10.0.51.217 255.255.255.0

tunnel source 10.0.149.217tunnel destination 10.0.149.203tunnel mode ipsec ipv4tunnel protection ipsec profile P1!interfaceip address 10.0.149.217 255.255.255.0speed 100full-duplex!interfaceip address 10.0.36.217 255.255.255.0load-interval 30full-duplex!ip classlessip route 10.0.35.0 255.255.255.0 Tunnel0line con 0line aux 0line vty 0 4end


IPsec Virtual Tunnel InterfacesExample: Static Virtual Tunnel Interface with IPsec

Example: Verifying the Results for the IPsec Static Virtual Tunnel InterfaceThis section provides information that you can use to confirm that your configuration is working properly. Inthis display, Tunnel 0 is “up,” and the line protocol is “up.” If the line protocol is “down,” the session is notactive.

Verifying the IPsec Static Virtual Tunnel Interface

Router# show interface tunnel 0

Tunnel0 is up, line protocol is upHardware is TunnelInternet address is 10.0.51.203/24MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,reliability 255/255, txload 103/255, rxload 110/255Encapsulation TUNNEL, loopback not setKeepalive not setTunnel source 10.0.149.203, destination 10.0.149.217Tunnel protocol/transport ipsec/ip, key disabled, sequencing disabledTunnel TTL 255Checksumming of packets disabled, fast tunneling enabledTunnel transmit bandwidth 8000 (kbps)Tunnel receive bandwidth 8000 (kbps)Tunnel protection via IPsec (profile "P1")Last input never, output never, output hang neverLast clearing of "show interface" counters neverInput queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0Queueing strategy: fifoOutput queue: 0/0 (size/max)30 second input rate 13000 bits/sec, 34 packets/sec30 second output rate 36000 bits/sec, 34 packets/sec191320 packets input, 30129126 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort59968 packets output, 15369696 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 output buffer failures, 0 output buffers swapped out

Router# show crypto session

Crypto session current statusInterface: Tunnel0Session status: UP-ACTIVEPeer: 10.0.149.217 port 500IKE SA: local 10.0.149.203/500 remote 10.0.149.217/500 ActiveIPsec FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0Active SAs: 4,Router# show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set10.0.0.0/8 is variably subnetted, 4 subnets, 2 masksC 10.0.35.0/24 is directly connected, Ethernet3/3S 10.0.36.0/24 is directly connected, Tunnel0C 10.0.51.0/24 is directly connected, Tunnel0C 10.0.149.0/24 is directly connected, Ethernet3/0


IPsec Virtual Tunnel InterfacesExample: Static Virtual Tunnel Interface with IPsec

Example: VRF-Aware Static Virtual Tunnel InterfaceTo add the VRF to the static VTI example, include the ipvrf and ip vrf forwarding commands to theconfiguration as shown in the following example.

Cisco 7206 Router Configuration

hostname cisco 7206..ip vrf sample-vti1rd 1:1route-target export 1:1route-target import 1:1!..interface Tunnel0ip vrf forwarding sample-vti1ip address 10.0.51.217 255.255.255.0tunnel source 10.0.149.217tunnel destination 10.0.149.203tunnel mode ipsec ipv4tunnel protection ipsec profile P1..!end

Example: Static Virtual Tunnel Interface with QoSYou can apply any QoS policy to the tunnel endpoint by including the service-policy statement under thetunnel interface. The following example shows how to police traffic out the tunnel interface.


hostname cisco 7206..class-map match-all VTImatch any!policy-map VTIclass VTIpolice cir 2000000conform-action transmitexceed-action drop

!..interface Tunnel0ip address 10.0.51.217 255.255.255.0tunnel source 10.0.149.217tunnel destination 10.0.149.203tunnel mode ipsec ipv4tunnel protection ipsec profile P1service-policy output VTI!..!end


IPsec Virtual Tunnel InterfacesExample: VRF-Aware Static Virtual Tunnel Interface

Example: Static Virtual Tunnel Interface with Virtual FirewallApplying the virtual firewall to the SVTI tunnel allows traffic from the spoke to pass through the hub to reachthe Internet. The figure below illustrates an SVTI with the spoke protected inherently by the corporate firewall.

Figure 10: Static VTI with Virtual Firewall

The basic SVTI configuration has been modified to include the virtual firewall definition:


hostname cisco 7206..ip inspect max-incomplete high 1000000ip inspect max-incomplete low 800000ip inspect one-minute high 1000000ip inspect one-minute low 800000ip inspect tcp synwait-time 60ip inspect tcp max-incomplete host 100000 block-time 2ip inspect name IOSFW1 tcp timeout 300ip inspect name IOSFW1 udp!..interface GigabitEthernet0/1description Internet Connectionip address 172.18.143.246 255.255.255.0ip access-group 100 inip nat outside!interface Tunnel0ip address 10.0.51.217 255.255.255.0ip nat insideip inspect IOSFW1 intunnel source 10.0.149.217tunnel destination 10.0.149.203tunnel mode ipsec ipv4tunnel protection ipsec profile P1!ip classlessip route 0.0.0.0 0.0.0.0 172.18.143.1!ip nat translation timeout 120ip nat translation finrst-timeout 2


IPsec Virtual Tunnel InterfacesExample: Static Virtual Tunnel Interface with Virtual Firewall

ip nat translation max-entries 300000ip nat pool test1 10.2.100.1 10.2.100.50 netmask 255.255.255.0ip nat inside source list 110 pool test1 vrf test-vti1 overload!access-list 100 permit esp any anyaccess-list 100 permit udp any eq isakmp anyaccess-list 100 permit udp any eq non500-isakmp anyaccess-list 100 permit icmp any anyaccess-list 110 deny esp any anyaccess-list 110 deny udp any eq isakmp anyaccess-list 110 permit ip any anyaccess-list 110 deny udp any eq non500-isakmp any!end

Example: Dynamic Virtual Tunnel Interface Easy VPN ServerThe following example illustrates the use of the DVTI Easy VPN server, which serves as an IPsec remoteaccess aggregator. The client can be a home user running a Cisco VPN client or a Cisco IOS router configuredas an Easy VPN client.


hostname cisco 7206!aaa new-modelaaa authentication login local_list localaaa authorization network local_list localaaa session-id common!ip subnet-zeroip cef!username cisco password 0 cisco123!controller ISA 1/1!crypto isakmp policy 1encr aesauthentication pre-sharegroup 14!crypto isakmp client configuration group group1key cisco123pool group1poolsave-password!crypto isakmp profile vpn1-ra

match identity group group1client authentication list local_listisakmp authorization list local_listclient configuration address respondvirtual-template 1

!crypto ipsec transform-set VTI-TS esp-aes esp-sha-hmac!crypto ipsec profile test-vti1set transform-set VTI-TS!interface GigabitEthernet0/1description Internet Connectionip address 172.18.143.246 255.255.255.0!interface GigabitEthernet0/2description Internal Networkip address 10.2.1.1 255.255.255.0!


IPsec Virtual Tunnel InterfacesExample: Dynamic Virtual Tunnel Interface Easy VPN Server

interface Virtual-Template1 type tunnelip unnumbered GigabitEthernet0/1ip virtual-reassemblytunnel mode ipsec ipv4tunnel protection ipsec profile test-vti1!ip local pool group1pool 192.168.1.1 192.168.1.4ip classlessip route 0.0.0.0 0.0.0.0 172.18.143.1!end

Example: Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN ServerThe following examples show that a DVTI has been configured for an Easy VPN server.

Router# show running-config interface Virtual-Access2

Building configuration...Current configuration : 250 bytes!interface Virtual-Access2ip unnumbered GigabitEthernet0/1ip virtual-reassemblytunnel source 172.18.143.246tunnel destination 172.18.143.208tunnel mode ipsec ipv4tunnel protection ipsec profile test-vti1no tunnel protection ipsec initiateendRouter# show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route

Gateway of last resort is 10.2.1.10 to network 0.0.0.0172.18.0.0/24 is subnetted, 1 subnets

C 172.18.143.0 is directly connected, GigabitEthernet0/1192.168.1.0/32 is subnetted, 1 subnets

S 192.168.1.1 [1/0] via 0.0.0.0, Virtual-Access210.0.0.0/24 is subnetted, 1 subnets

C 10.2.1.0 is directly connected, GigabitEthernet0/2S* 0.0.0.0/0 [1/0] via 172.18.143.1

Example: Dynamic Virtual Tunnel Interface Easy VPN ClientThe following example shows how you can set up a router as the Easy VPN client. This example uses thesame idea as the Easy VPN client that you can run from a PC to connect to a network. The configuration ofthe Easy VPN server will work for the software client or the Cisco IOS client.

hostname cisco 1841!no aaa new-model!ip cef!username cisco password 0 cisco123!crypto ipsec client ezvpn CLIENTconnect manualgroup group1 key cisco123


IPsec Virtual Tunnel InterfacesExample: Dynamic Virtual Tunnel Interface Easy VPN Client

mode clientpeer 172.18.143.246virtual-interface 1username cisco password cisco123xauth userid mode local!interface Loopback0ip address 10.1.1.1 255.255.255.255!interface FastEthernet0/0description Internet Connectionip address 172.18.143.208 255.255.255.0crypto ipsec client ezvpn CLIENT!interface FastEthernet0/1ip address 10.1.1.252 255.255.255.0crypto ipsec client ezvpn CLIENT inside!interface Virtual-Template1 type tunnelip unnumbered Loopback0!ip route 0.0.0.0 0.0.0.0 172.18.143.1 254!endThe client definition can be set up in many different ways. The mode specified with the connect commandcan be automatic or manual. If the connect mode is set to manual, the IPsec tunnel has to be initiated manuallyby a user.

Note the use of themode command. The mode can be a client, network-extension, or network-extension-plus.This example indicates the client mode, which means that the client is given a private address from the server.The network-extension mode is different from the client mode in that the client specifies for the server itsattached private subnet. Depending on the mode, the routing table on either end will be slightly different. Thebasic operation of the IPsec tunnel remains the same, regardless of the specified mode.

Example: Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN ClientThe following examples illustrate different ways to display the status of the DVTI.

Router# show running-config interface Virtual-Access2

Building configuration...Current configuration : 148 bytes!interface Virtual-Access2ip unnumbered Loopback1tunnel source FastEthernet0/0tunnel destination 172.18.143.246tunnel mode ipsec ipv4end

Router# show running-config interface Loopback1

Building configuration...Current configuration : 65 bytes!interface Loopback1ip address 192.168.1.1 255.255.255.255endRouter# show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route

Gateway of last resort is 172.18.143.1 to network 0.0.0.0


IPsec Virtual Tunnel InterfacesExample: Dynamic Virtual Tunnel Interface Easy VPN Client

10.0.0.0/32 is subnetted, 1 subnetsC 10.1.1.1 is directly connected, Loopback0

172.18.0.0/24 is subnetted, 1 subnetsC 172.18.143.0 is directly connected, FastEthernet0/0

192.168.1.0/32 is subnetted, 1 subnetsC 192.168.1.1 is directly connected, Loopback1S* 0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access2

Router# show crypto ipsec client ezvpn

Easy VPN Remote Phase: 6Tunnel name : CLIENTInside interface list: FastEthernet0/1Outside interface: Virtual-Access2 (bound to FastEthernet0/0)Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 192.168.1.1Mask: 255.255.255.255Save Password: AllowedCurrent EzVPN Peer: 172.18.143.246

Example: VRF-Aware IPsec with Dynamic VTIThis example shows how to configure VRF-Aware IPsec to take advantage of the DVTI:

hostname c7206..ip vrf test-vti1rd 1:1route-target export 1:1route-target import 1:1!..interface Virtual-Template1 type tunnelip vrf forwarding test-vti1ip unnumbered Loopback0ip virtual-reassemblytunnel mode ipsec ipv4tunnel protection ipsec profile test-vti1!..end

Example: Dynamic Virtual Tunnel Interface with Virtual FirewallThe DVTI Easy VPN server can be configured behind a virtual firewall. Behind-the-firewall configurationallows users to enter the network, while the network firewall is protected from unauthorized access. The virtualfirewall uses Context-Based Access Control (CBAC) and NAT applied to the Internet interface as well as tothe virtual template.

hostname cisco 7206..ip inspect max-incomplete high 1000000ip inspect max-incomplete low 800000ip inspect one-minute high 1000000ip inspect one-minute low 800000ip inspect tcp synwait-time 60ip inspect tcp max-incomplete host 100000 block-time 2ip inspect name IOSFW1 tcp timeout 300ip inspect name IOSFW1 udp


IPsec Virtual Tunnel InterfacesExample: VRF-Aware IPsec with Dynamic VTI

!..interface GigabitEthernet0/1description Internet Connectionip address 172.18.143.246 255.255.255.0ip access-group 100 inip nat outside!interface GigabitEthernet0/2description Internal Networkip address 10.2.1.1 255.255.255.0!interface Virtual-Template1 type tunnelip unnumbered Loopback0ip nat insideip inspect IOSFW1 intunnel mode ipsec ipv4tunnel protection ipsec profile test-vti1!ip classlessip route 0.0.0.0 0.0.0.0 172.18.143.1!ip nat translation timeout 120ip nat translation finrst-timeout 2ip nat translation max-entries 300000ip nat pool test1 10.2.100.1 10.2.100.50 netmask 255.255.255.0ip nat inside source list 110 pool test1 vrf test-vti1 overload!access-list 100 permit esp any anyaccess-list 100 permit udp any eq isakmp anyaccess-list 100 permit udp any eq non500-isakmp anyaccess-list 100 permit icmp any anyaccess-list 110 deny esp any anyaccess-list 110 deny udp any eq isakmp anyaccess-list 110 permit ip any anyaccess-list 110 deny udp any eq non500-isakmp any!end

Example: Dynamic Virtual Tunnel Interface with QoSYou can add QoS to the DVTI tunnel by applying the service policy to the virtual template.When the templateis cloned to make the virtual access interface, the service policy will also be applied to the virtual accessinterface. The following example shows the basic DVTI configuration with QoS added.

hostname cisco 7206..class-map match-all VTImatch any!policy-map VTIclass VTIpolice cir 2000000conform-action transmitexceed-action drop

!..interface Virtual-Template1 type tunnelip vrf forwarding test-vti1ip unnumbered Loopback0ip virtual-reassemblytunnel mode ipsec ipv4tunnel protection ipsec profile test-vti1service-policy output VTI!


IPsec Virtual Tunnel InterfacesExample: Dynamic Virtual Tunnel Interface with QoS

.

.!end

Additional References for IPsec Virtual Tunnel InterfaceRelated Documents


Cisco IOS Master Command List, All ReleasesCisco IOS commands





Security commands

Configuring Security for VPNs with IPsecIPsec configuration

Cisco IOS Quality of Service Solutions ConfigurationGuide

QoS configuration

• Cisco Easy VPN Remote

• Easy VPN Server

EasyVPN configuration

Next Generation EncryptionRecommended cryptographic algorithms

Standards and RFCs

TitleStandard/RFC

Security Architecture for the Internet ProtocolRFC 2401

Internet Security Association and Key ManagementProtocol

RFC 2408

The Internet Key Exchange (IKE)RFC 2409


IPsec Virtual Tunnel InterfacesAdditional References for IPsec Virtual Tunnel Interface












LinkDescription


Feature Information for IPsec Virtual Tunnel InterfacesThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.


Table 5: Feature Information for IPsec Virtual Tunnel Interfaces

Feature Configuration InformationReleasesFeature Name

Dynamic VTIs enable efficient useof IP addresses and provide secureconnectivity. Dynamic VTIs allowdynamically downloadableper-group and per-user policies tobe configured on a RADIUSserver. IPsec dynamic VTIs allowyou to create highly secureconnectivity for remote accessVPNs. The dynamicVTI simplifiesVRF-aware IPsec deployment.

The following commands wereintroduced or modified: cryptoisakmp profile, interfacevirtual-template, showvtemplate, tunnel mode,virtual-template.

Dynamic IPsec VTIs


IPsec Virtual Tunnel InterfacesFeature Information for IPsec Virtual Tunnel Interfaces




The FlexVPNMixedMode featureprovides support for carrying IPv4traffic over IPsec IPv6 transport.This is the first phase towardsproviding dual stack support on theIPsec stack. This implementationdoes not support using a singleIPsec security association (SA) pairfor both IPv4 and IPv6 traffic.

This feature is only supported forRemote Access VPN with IKEv2and Dynamic VTI.

FlexVPN Mixed Mode Support

The Profile Based Tunnel Selectionfeature uses the Internet KeyExchange (IKE) or Internet KeyExchange version 2 (IKEv2)profile to select a tunnel interfacefor an IPsec session therebyallowing tunnel interfaces to sharethe tunnel source IP address andIPsec transform set without sharingthe IPsec security associationdatabases (SADBs) among tunnelinterfaces.

The following commands wereintroduced or modified: tunnelprotection ipsec profile.

IKE Profile Based TunnelSelection

The DVTI can accept multipleIPsec selectors that are proposedby the initiator.

The following commands wereintroduced or modified: setsecurity-policy limit, setreverse-route.

Multi-SA for Dynamic VTIs

IPsec VTIs provide a routableinterface type for terminating IPsectunnels and an easy way to defineprotection between sites to form anoverlay network. IPsec VTIssimplify configuration of IPsec forprotection of remote links, supportmulticast, and simplify networkmanagement and load balancing.

Static IPsec VTIs




The Tunnel Mode Auto Selectionfeature eases the configuration andspares you about knowing theresponder’s details. This featureautomatically applies the tunnelingprotocol (GRE or IPsec) andtransport protocol (IPv4 or IPv6)on the virtual template as soon asthe IKE profile creates the virtualaccess interface.

The following command wasintroduced or modified:virtual-template

Tunnel Mode Auto Selection

The FlexVPNMixedMode v6 overv4 Transport feature providessupport for carrying IPv6 trafficover IPsec IPv4 transport. Thisimplementation does not supportusing a single IPsec securityassociation (SA) pair for both IPv4and IPv6 traffic.

FlexVPNMixed Mode v6 over v4Transport





C H A P T E R 3SafeNet IPsec VPN Client Support

The SafeNet IPsec VPNClient Support feature allows you to limit the scope of an Internet Security Associationand Key Management Protocol (ISAKMP) profile or ISAKMP keyring configuration to a local terminationaddress or interface. The benefit of this feature is that different customers can use the same peer identitiesand ISAKMP keys by using different local termination addresses.

History for the SafeNet IPsec VPN Client Support Feature

ModificationRelease

This feature was introduced.12.3(14)T

This feature was integrated into Cisco IOS Release12.2(18)SXE.

12.2(18)SXE


• Prerequisites for SafeNet IPsec VPN Client Support, page 72

• Restrictions for SafeNet IPsec VPN Client Support, page 72

• Information About SafeNet IPsec VPN Client Support, page 72

• How to Configure SafeNet IPsec VPN Client Support, page 73

• Configuration Examples for SafeNet IPsec VPN Client Support, page 77







Prerequisites for SafeNet IPsec VPN Client Support• You must understand how to configure ISAKMP profiles and ISAKMP keyrings.

Restrictions for SafeNet IPsec VPN Client Support• The local address option works only for the primary address of an interface.

• If an IP address is provided, the administrator has to ensure that the connection of the peer terminatesto the address that is provided.

• If the IP address does not exist on the device, or if the interface does not have an IP address, the ISAKMPprofile or ISAKMP keyring will be effectively disabled.

Information About SafeNet IPsec VPN Client Support

ISAKMP Profile and ISAKMP Keyring Configurations BackgroundPrior to Cisco IOS Release 12.3(14)T, ISAKMP-profile and ISAKMP-keyring configurations could be onlyglobal, meaning that the scope of these configurations could not be limited by any locally defined parameters(VRF instances were an exception). For example, if an ISAKMP keyring contained a preshared key for address10.11.12.13, the same key would be used if the peer had the address 10.11.12.13, irrespective of the interfaceor local address to which the peer was connected. There are situations, however, in which users prefer thatassociate keyrings be bound not only with virtual route forwarding (VRF) instances but also to a particularinterface. For example, if instead of VRF instances, there are virtual LANS, and the Internet Key Exchange(IKE) is negotiated with a group of peers using one fixed virtual LAN (VLAN) interface. Such a group ofpeers uses a single preshared key, so if keyrings could be bound to an interface, it would be easy to define awildcard key without risking that the keys would also be used for other customers.

Sometimes the identities of the peer are not in the control of the administrator, and even if the same peernegotiates for different customers, the local termination address is the only way to distinguish the peer. Aftersuch a distinction is made, if the traffic is sent to different VRF instances, configuring an ISAKMP profile isthe only way to distinguish the peer. Unfortunately, when the peer uses an identical identity for all suchsituations, the ISAKMP profile cannot distinguish among the negotiations. For such scenarios, it would bebeneficial to bind ISAKMP profiles to a local termination address. If a local termination address could beassigned, identical identities from the peer would not be a problem.

Local Termination Address or InterfaceEffective with Cisco IOS Release 12.3(14)T, the SafeNet IPsec VPN Client Support feature allows you tolimit the scope of ISAKMP profiles and ISAKMP keyrings to a local termination address or interface.


SafeNet IPsec VPN Client SupportPrerequisites for SafeNet IPsec VPN Client Support

Benefit of SafeNet IPsec VPN Client SupportThe benefit of this feature is that different customers can use the same peer identities and ISAKMP keys byusing different local termination addresses.

How to Configure SafeNet IPsec VPN Client SupportThis section contains the following procedures. The first two configurations are independent of each other.

Limiting an ISAKMP Profile to a Local Termination Address or InterfaceTo configure an ISAKMP profile and limit it to a local termination address or interface, perform the followingsteps.

SUMMARY STEPS

1. enable2. configure terminal3. crypto isakmp profile profile-name4. keyring keyring-name5. match identity address address6. local-address {interface-name | ip-address [vrf-tag ]}

DETAILED STEPS



Example:

Router> enable



Example:

Router# configure terminal

Step 2

Defines an ISAKMP profile and enters ISAKMP profileconfiguration mode.

crypto isakmp profile profile-name

Example:

Router (config)# crypto isakmp profileprofile1

Step 3

(Optional) Configures a keyring with an ISAKMP profile.keyring keyring-nameStep 4


SafeNet IPsec VPN Client SupportBenefit of SafeNet IPsec VPN Client Support


Example:

Router (conf-isa-profile)# keyring keyring1

• A keyring is not needed inside an ISAKMP profile forlocal termination to work. Local termination works evenif Rivest, Shamir, and Adelman (RSA) certificates areused.

Matches an identity from a peer in an ISAKMP profile.match identity address address

Example:

Router (conf-isa-profile)# match identityaddress 10.0.0.0 255.0.0.0

Step 5

Limits the scope of an ISAKMP profile or an ISAKMPkeyring configuration to a local termination address orinterface.

local-address {interface-name | ip-address [vrf-tag]}

Example:

Router (conf-isa-profile)# local-addressserial2/0

Step 6

Limiting a Keyring to a Local Termination Address or InterfaceTo configure an ISAKMP keyring and limit its scope to a local termination address or interface, perform thefollowing steps.

SUMMARY STEPS

1. enable2. configure terminal3. crypto keyring keyring-name4. local-address {interface-name |ip-address[vrf-tag ]}5. pre-shared-key address address

DETAILED STEPS



Example:

Router> enable



SafeNet IPsec VPN Client SupportLimiting a Keyring to a Local Termination Address or Interface



Example:

Router# configure terminal

Step 2

Defines a crypto keyring to be used during IKEauthentication and enters keyring configuration mode.

crypto keyring keyring-name

Example:

Router (config)# crypto keyring keyring1

Step 3

Limits the scope of an ISAKMP profile or an ISAKMPkeyring configuration to a local termination address orinterface.

local-address {interface-name |ip-address[vrf-tag ]}

Example:

Router (conf-keyring)# local-address serial2/0

Step 4

Defines a preshared key to be used for IKE authentication.pre-shared-key address address

Example:

Router (conf-keyring)# pre-shared-key address10.0.0.1

Step 5

Monitoring and Maintaining SafeNet IPsec VPN Client SupportThe following debug and show commands may be used to monitor and maintain the configuration in whichyou limited the scope of an ISAKMP profile or ISAKMP keyring to a local termination address or interface.

SUMMARY STEPS

1. enable2. debug crypto isakmp3. show crypto isakmp profile

DETAILED STEPS



Example:

Router> enable



SafeNet IPsec VPN Client SupportMonitoring and Maintaining SafeNet IPsec VPN Client Support


Displays messages about IKE events.debug crypto isakmp

Example:

Router# debug crypto isakmp

Step 2

Lists all the ISAKMP profiles that are defined on a router.show crypto isakmp profile

Example:

Router# show crypto isakmp profile

Step 3

Examples

debug crypto isakmp Command Output for an ISAKMP Keyring That IsBound to Local Termination Addresses Example

You have an ISAKMP configuration as follows (the address of serial2/0 is 10.0.0.1, and the address of serial2/1is 10.0.0.2),

crypto keyring keyring1! Scope of the keyring is limited to interface serial2/0.local-address serial2/0! The following is the key string used by the peer.pre-shared-key address 10.0.0.3 key somerandomkeystring

crypto keyring keyring2local-address serial2/1! The following is the keystring used by the peer coming into serial2/1.pre-shared-key address 10.0.0.3 key someotherkeystring

and if the connection is coming into serial2/0, keyring1 is chosen as the source of the preshared key (andkeyring2 is ignored because it is bound to serial2/1), you would see the following output:

Router# debug crypto isakmp*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0):Keyring keyring2 is bound to10.0.0.0, skipping

*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0):Looking for a matching key for10.0.0.3 in keyring1

*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0): : success*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0):found peer pre-shared keymatching 10.0.0.3

*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0): local preshared key found

debug crypto isakmp Command Output for an ISAKMP ProfileThat Is Boundto a Local Termination Address Example

If you have the following configuration,

crypto isakmp profile profile1keyring keyring1match identity address 10.0.0.0 255.0.0.0local-address serial2/0

crypto isakmp profile profile2keyring keyring1keyring keyring2


SafeNet IPsec VPN Client SupportMonitoring and Maintaining SafeNet IPsec VPN Client Support

self-identity fqdnmatch identity address 10.0.0.1 255.255.255.255local-address serial2/1

and the connection is coming through the local terminal address serial2/0, you will see the following output:

Router# debug crypto isakmp*Feb 11 15:01:29.935: ISAKMP:(0:0:N/A:0):Profile profile2 bound to 10.0.0.0 skipped*Feb 11 15:01:29.935: ISAKMP:(0:1:SW:1):: peer matches profile1 profile

show crypto isakmp profile Command Output Example

The following is an example of typical show command output for an ISAKMP profile that is bound to serial2/0:

Router# show crypto isakmp profileISAKMP PROFILE profile1Identities matched are:ip-address 10.0.0.0 255.0.0.0

Certificate maps matched are:keyring(s): keyring1trustpoint(s): <all>Interface binding: serial2/0 (10.20.0.1:global)

Troubleshooting SafeNet IPsec VPN Client SupportIf an ISAKMP profile or ISAKMP keyring fails to be selected, you should double-check the local-addressbinding in the ISAKMP profile or ISAKMP keyring configuration and follow the output of the IKE debugsto determine whether the peer is correctly terminating on the address. You may remove the local-addressbinding (to make the scope of the profile or keyring global) and check to determine whether the profile orkeyring is selected to confirm the situation.

Configuration Examples for SafeNet IPsec VPN Client SupportThis section contains the following configuration, debug command, and show command examples.

ISAKMP Profile Bound to a Local Interface ExampleThe following example shows that the ISAKMP profile is bound to a local interface:

crypto isakmp profile profile1keyring keyring1match identity address 10.0.0.0 255.0.0.0

local-address serial2/0

ISAKMP Keyring Bound to a Local Interface ExampleThe following example shows that the ISAKMP keyring is bound only to interface serial2/0:

crypto keyringlocal-address serial2/0

pre-shared-key address 10.0.0.1


SafeNet IPsec VPN Client SupportTroubleshooting SafeNet IPsec VPN Client Support

ISAKMP Keyring Bound to a Local IP Address ExampleThe following example shows that the ISAKMP keyring is bound only to IP address 10.0.0.2:

crypto keyring keyring1local-address 10.0.0.2

pre-shared-key address 10.0.0.2 key

ISAKMP Keyring Bound to an IP Address and Limited to a VRF ExampleThe following example shows that an ISAKMP keyring is bound to IP address 10.34.35.36 and that the scopeis limited to VRF examplevrf1:

ip vrf examplevrf1rd 12:3456

crypto keyring ring1local-address 10.34.35.36 examplevrf1

interface ethernet2/0ip vrf forwarding examplevrf1ip address 10.34.35.36 255.255.0.0

Additional ReferencesThe following sections provide references related to SafeNet IPsec VPN Client Support.

Related DocumentsStandardsDocument TitleRelated Topic

VRF-Aware IPsecConfiguring ISAKMPprofiles and ISAKMPkeyrings

Cisco IOS Security Command ReferenceSecurity commands

TitleStandard

--No new or modified standards are supported by thisfeature.


SafeNet IPsec VPN Client SupportISAKMP Keyring Bound to a Local IP Address Example

MIBsMIBs LinkMIB



No new or modified MIBs are supported by thisfeature.

RFCsTitleRFC

--No new or modified RFCs are supported by thisfeature.

Technical AssistanceLinkDescription

http://www.cisco.com/techsupportThe Cisco Support website provides extensive onlineresources, including documentation and tools fortroubleshooting and resolving technical issues withCisco products and technologies.

To receive security and technical information aboutyour products, you can subscribe to various services,such as the Product Alert Tool (accessed from FieldNotices), the Cisco Technical Services Newsletter,and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support websiterequires a Cisco.com user ID and password.


SafeNet IPsec VPN Client SupportMIBs


http://www.cisco.com/techsupport


SafeNet IPsec VPN Client SupportTechnical Assistance

C H A P T E R 4Crypto Conditional Debug Support

The Crypto Conditional Debug Support feature introduces three new command-line interfaces (CLIs) thatallow users to debug an IP Security (IPSec) tunnel on the basis of predefined crypto conditions such as thepeer IP address, connection-ID of a crypto engine, and security parameter index (SPI). By limiting debugmessages to specific IPSec operations and reducing the amount of debug output, users can better troubleshoota router with a large number of tunnels.

Feature History for Crypto Conditional Debug Support

Feature History

ModificationRelease

This feature was introduced.12.3(2)T


• Prerequisites for Crypto Conditional Debug Support, page 82

• Restrictions for Crypto Conditional Debug Support, page 82

• Information About Crypto Conditional Debug Support, page 82

• How to Enable Crypto Conditional Debug Support, page 83

• Configuration Examples for the Crypto Conditional Debug CLIs, page 86







Prerequisites for Crypto Conditional Debug SupportTo use the new crypto CLIs, you must be using a crypto image such as the k8 or k9 subsystem.

Restrictions for Crypto Conditional Debug Support• This feature does not support debug message filtering for hardware crypto engines.

• Although conditional debugging is useful for troubleshooting peer-specific or functionality relatedInternet Key Exchange (IKE) and IPSec problems, conditional debugging may not be able to define andcheck large numbers of debug conditions.

• Because extra space is needed to store the debug condition values, additional processing overhead isadded to the CPU and memory usage is increased. Thus, enabling crypto conditional debugging on arouter with heavy traffic should be used with caution.

Information About Crypto Conditional Debug Support

Supported Condition TypesThe new crypto conditional debug CLIs-- debug crypto condition , debug crypto condition unmatched , andshow crypto debug-condition --allow you to specify conditions (filter values) in which to generate and displaydebug messages related only to the specified conditions. The table below lists the supported condition types.

Table 6: Supported Condition Types for Crypto Debug CLI

DescriptionCondition Type (Keyword)

An integer between 1-32766. Relevant debugmessages will be shown if the current IPSec operationuses this value as the connection ID to interface withthe crypto engine.

connid 1

An integer between 1-32766. Relevant debugmessages will be shown if the current IPSec operationuses this value as the flow-ID to interface with thecrypto engine.

flowid 1

The name string of a virtual private network (VPN)routing and forwarding (VRF) instance. Relevantdebug messages will be shown if the current IPSecoperation uses this VRF instance as its front-doorVRF (FVRF).

FVRF


Crypto Conditional Debug SupportPrerequisites for Crypto Conditional Debug Support

DescriptionCondition Type (Keyword)

The name string of a VRF instance. Relevant debugmessages will be shown if the current IPSec operationuses this VRF instance as its inside VRF (IVRF).

IVRF

AUnity group-name string. Relevant debugmessageswill be shown if the peer is using this group name asits identity.

peer group

A fully qualified domain name (FQDN) string.Relevant debug messages will be shown if the peeris using this string as its identity; for example, if thepeer is enabling IKE Xauth with this FQDN string.

peer hostname

A single IP address. Relevant debug messages willbe shown if the current IPSec operation is related tothe IP address of this peer.

peer ipaddress

A subnet and a subnet mask that specify a range ofpeer IP addresses. Relevant debug messages will beshown if the IP address of the current IPSec peer fallsinto the specified subnet range.

peer subnet

A username string. Relevant debug messages will beshown if the peer is using this username as its identity;for example, if the peer is enabling IKE ExtendedAuthentication (Xauth) with this username.

peer username

A 32-bit unsigned integer. Relevant debug messageswill be shown if the current IPSec operation uses thisvalue as the SPI.

SPI 1

1 If an IPSec connid, flowid, or SPI is used as a debug condition, the debug messages for a related IPSec flow are generated. An IPSec flow has two connids,flowids, and SPIs--one inbound and one outbound. Both two connids, flowids, and SPIs can be used as the debug condition that triggers debug messages forthe IPSec flow.

How to Enable Crypto Conditional Debug Support

Enabling Crypto Conditional Debug Messages

Performance Considerations• Before enabling crypto conditional debugging, you must decide what debug condition types (also knownas debug filters) and values will be used. The volume of debug messages is dependent on the numberof conditions you define.


Crypto Conditional Debug SupportHow to Enable Crypto Conditional Debug Support

Specifying numerous debug conditionsmay consumeCPU cycles and negatively affect router performance.Note

• Your router will perform conditional debugging only after at least one of the global crypto debugcommands--debug crypto isakmp, debug crypto ipsec, and debug crypto engine--has been enabled.This requirement helps to ensure that the performance of the router will not be impacted when conditionaldebugging is not being used.

Disable Crypto Debug ConditionsIf you choose to disable crypto conditional debugging, you must first disable any crypto global debug CLIsyou have issued ; thereafter, you can disable conditional debugging.

The reset keyword can be used to disable all configured conditions at one time.Note

SUMMARY STEPS

1. enable2. debug crypto condition [connidintegerengine-idinteger ] [flowidinteger engine-idinteger ] [fvrf string]

[ivrf string] [peer [group string] [hostname string] [ipv4 ipaddress] [subnet subnet mask] [usernamestring]] [spi integer] [reset]

3. show crypto debug-condition {[peer] [connid] [spi] [fvrf] [ivrf] [unmatched]}4. debug crypto isakmp5. debug crypto ipsec6. debug crypto engine7. debug crypto condition unmatched [isakmp | ipsec | engine]

DETAILED STEPS



Example:

Router> enable


Defines conditional debug filters.debug crypto condition [connidintegerengine-idinteger ][flowidinteger engine-idinteger ] [fvrf string] [ivrf string]

Step 2

[peer [group string] [hostname string] [ipv4 ipaddress][subnet subnet mask] [username string]] [spi integer] [reset]


Crypto Conditional Debug SupportEnabling Crypto Conditional Debug Messages


Example:

Router# debug crypto condition connid 2000 engine-id1

Displays crypto debug conditions that have alreadybeen enabled in the router.

show crypto debug-condition {[peer] [connid] [spi] [fvrf][ivrf] [unmatched]}

Example:

Router# show crypto debug-condition spi

Step 3

Enables global IKE debugging.debug crypto isakmp

Example:

Router#debug crypto isakmp

Step 4

Enables global IPSec debugging.debug crypto ipsec

Example:

Router#debug crypto ipsec

Step 5

Enables global crypto engine debugging.debug crypto engine

Example:

Router#debug crypto engine

Step 6

(Optional) Displays debug conditional cryptomessages when no context information is availableto check against debug conditions.

debug crypto condition unmatched [isakmp | ipsec | engine]

Example:

Router# debug crypto condition unmatched ipsec

Step 7

If none of the optional keywords are specified, allcrypto-related information will be shown.

Enabling Crypto Error Debug MessagesTo enable crypto error debug messages, you must perform the following tasks.

debug crypto error CLIEnabling the debug crypto error command displays only error-related debug messages, thereby, allowingyou to easily determine why a crypto operation, such as an IKE negotiation, has failed within your system.


Crypto Conditional Debug SupportEnabling Crypto Error Debug Messages

When enabling this command, ensure that global crypto debug commands are not enabled; otherwise, theglobal commands will override any possible error-related debug messages.

Note

SUMMARY STEPS

1. enable2. debug crypto {isakmp | ipsec | engine} error

DETAILED STEPS



Example:

Router> enable


Enables only error debugging messages for a crypto area.debug crypto {isakmp | ipsec | engine} error

Example:

Router# debug crypto ipsec error

Step 2

Configuration Examples for the Crypto Conditional Debug CLIs

Enabling Crypto Conditional Debugging ExampleThe following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2,or 10.1.1.3, and when the connection-ID 2000 of crypto engine 0 is used. This example also shows how toenable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditionalsettings.

Router#debug crypto condition connid 2000 engine-id 1Router#debug crypto condition peer ipv4 10.1.1.1Router#debug crypto condition peer ipv4 10.1.1.2Router#debug crypto condition peer ipv4 10.1.1.3Router#debug crypto condition unmatched! Verify crypto conditional settings.Router#show crypto debug-conditionCrypto conditional debug currently is turned ON


Crypto Conditional Debug SupportConfiguration Examples for the Crypto Conditional Debug CLIs

IKE debug context unmatched flag:ONIPsec debug context unmatched flag:ONCrypto Engine debug context unmatched flag:ONIKE peer IP address filters:10.1.1.1 10.1.1.2 10.1.1.3Connection-id filters:[connid:engine_id]2000:1,! Enable global crypto CLIs to start conditional debugging.Router#debug crypto isakmpRouter#debug crypto ipsecRouter#debug crypto engine

Disabling Crypto Conditional Debugging ExampleThe following example shows how to disable all crypto conditional settings and verify that those settings havebeen disabled:

Router#debug crypto condition reset! Verify that all crypto conditional settings have been disabled.Router#show crypto debug-conditionCrypto conditional debug currently is turned OFFIKE debug context unmatched flag:OFFIPsec debug context unmatched flag:OFFCrypto Engine debug context unmatched flag:OFF

Additional ReferencesThe following sections provide references to the Crypto Conditional Debug Support feature.

Related Documents


“Internet Key Exchange for IPsec VPNs” section ofCisco IOS Security Configuration Guide: SecureConnectivity

IPSec and IKE configuration tasks

Cisco IOS Security Command ReferenceIPSec and IKE commands

Standards

TitleStandards

--None


Crypto Conditional Debug SupportDisabling Crypto Conditional Debugging Example

MIBs

MIBs LinkMIBs



None

RFCs

TitleRFCs

--None


LinkDescription

http://www.cisco.com/techsupportTechnical Assistance Center (TAC) home page,containing 30,000 pages of searchable technicalcontent, including links to products, technologies,solutions, technical tips, and tools. RegisteredCisco.com users can log in from this page to accesseven more content.


Crypto Conditional Debug SupportAdditional References


http://www.cisco.com/public/support/tac/home.shtml

C H A P T E R 5VPN Acceleration Module

VPN Acceleration Module (VAM) supports Data Encryption Standard (DES) or Triple DES (3DES) IPsecencryption at a rate greater than full-duplex DS-3 line rate (up to 145 Mbps) for site-to-site VPNs such asintranets and extranets. VAM also supports up to 5000 encrypted tunnels for mixed VPN environments thathave both site-to-site and remote access VPN requirements. VAM integrates hardware-assisted Rivest,Shamir, and Adelman (RSA) and IP Payload Compression Protocol (IPPCP) layer 3 compression to accelerateRSA processing, thereby enhancing tunnel setup and improving overall VPN initialization. In environmentswhere bandwidth is costly, VAM provides hardware-based IPPCP Lempel-Ziv-Stac (LZS) processing tocompress network traffic before it is encrypted and sent over pay-per-byte WAN connections.


• Prerequisites for VPN Acceleration Module, page 90

• Information about VPN Acceleration Module (VAM), page 90

• How To Configure VPN Acceleration Module (VAM), page 93

• Configuration Examples for VPN Acceleration, page 106

• Additional References for VPN Acceleration Module, page 107

• Feature Information for VPN Acceleration Module, page 108

• Glossary, page 110






Prerequisites for VPN Acceleration ModuleYou must configure IPSec and IKE on the router and a crypto map to all interfaces that require encryptionservice from the VPN Acceleration Module.

Information about VPN Acceleration Module (VAM)

VPN Acceleration Module (VAM) OverviewThe VPN Acceleration Module (VAM) is a single-width acceleration module. It provides high-performance,hardware-assisted tunneling and encryption services suitable for VPN remote access, site-to-site intranet, andextranet applications. It also provides platform scalability and security while working with all services necessaryfor successful VPN deployments—security, quality of service (QoS), firewall and intrusion detection,service-level validation, and management. The VAM off-loads IPsec processing from the main processor,thus freeing resources on the processor engines for other tasks.

The VAM provides hardware-accelerated support for the following multiple encryption functions:

• 56-bit Data Encryption Standard (DES) standard mode: Cipher Block Chaining (CBC)

• 3-Key Triple DES (168-bit)

• Secure Hash Algorithm (SHA)-1 and Message Digest 5 (MD5)

• Rivest, Shamir, Adelman (RSA) public-key algorithm

• Diffie-Hellman key exchange RC4-40

BenefitsThe VAM provides the following benefits:

• 10 tunnels per second

• The following number of tunnels based on the corresponding memory of the NPE:

• 800 tunnels for 64 MB




• RSA encryption

• Accelerated Crypto performance

• Accelerated Internet Key Exchange (IKE)

• Certificate support for automatic authentication using digital certificates


VPN Acceleration ModulePrerequisites for VPN Acceleration Module

• Dual VAM support

Support for dual VAMs is available on a Cisco 7200 series router with an NPE-G1, on Cisco IOS Release12.2(15)T, 12.1(14)E, and 12.3 Mainline.

Note

• Encryption services to any port adapter installed in the router. The interface on the port adapter must beconfigured with a crypto map to support IPSec.

• Full-duplex data transmission of over 100 Mbps with various encryption and compression schemes for300 byte packages

• Hardware-based IPPCP LZS compression

• Network traffic compression that reduces bandwidth utilization

• Online Insertion and Removal (OIR)

• QoS, multiprotocol, and multicast feature interoperation

• Support for full Layer 3 routing, such as Enhanced Interior Gateway Routing Protocol (EIGRP), OpenShortest Path First (OSPF), and Border Gateway Protocol (BGP) across the IPSec VPN

• Up to 145 Mbps throughput using 3DES

• VPN initialization improvements

Performance Results for Single VAM

The following two tables provide performance results for a single VAM on a Cisco 7206VXRwith an NPE-G1processor, an onboard GE, and FE port adapters in slots 3 and 4.

out_packet_sizecrypto_packet_sizeclear_packet _size

1149664

354336300

145014321400

396378Mixed packet size - 344

meas_out_ndr(Mbps)

meas_crypto_ndr(Mbps)

meas_clear_ndr(Mbps)

measured_pps(pps)

# of tunnelspkt_size (bytes)

59.4850.0933.3965,224464

38.2032.1721.4441,888500

36.9231.0920.7340,4801,000

35.9430.2720.1839,4085,000


VPN Acceleration ModuleBenefits

meas_out_ndr(Mbps)



measured_pps(pps)


107.71102.2391.2838,0324300

105.3199.9589.2437,184500

102.1396.9486.5536,0641,000

101.9996.8186.4436,0165,000

115.81114.38111.829,98441400

114.24112.82110.299,848500

111.92110.53108.069,6481,000

111.55110.16107.709,6165,000

99.7095.1786.6131,4724Mixed packetsize

98.3993.9185.4731,056500

95.4591.1182.9130,1281,000

92.7188.4980.5329,2645,000

Performance Results for Dual VAMs

The following two tables provide performance results for dual VAMs on a Cisco 7206VXR with an NPE-G1processor, an onboard GE, and FE port adapters in slots 3 and 4.

out_packet_sizecrypto_packet_sizeclear_packet _size

1149664

354336300

145014321400

396378Mixed packet size - 344

meas_out_ndr(Mbps)



measured_pps(pps)


123.61104.1069.40135,544464


VPN Acceleration ModuleBenefits

meas_out_ndr(Mbps)



measured_pps(pps)


56.1147.2531.5061,520500

51.9243.7229.1556,9281,000

39.8933.6022.4043,7445,000

202.02191.75171.2171,3364300

171.10162.40145.0060,416500

158.64150.57134.4456,0161,000

120.35114.23101.9942,4965,000

217.34214.64209.8418,73641400

213.72211.07206.3518,424500

212.88210.24205.5418,3521000

212.88210.24205.5418,3525,000

191.40182.70166.2660,4164Mixed packetsize

183.40175.05159.3157,888500

175.79167.80152.7055,4881,000

108.57103.6494.3234,2725,000

How To Configure VPN Acceleration Module (VAM)On power up if the enabled LED is on, the VAM is fully functional and does not require any configurationcommands. However, for the VAM to provide encryption services, you must complete the following tasks:

Creating IKE Policies

Before You Begin

The following restrictions apply if you are configuring an AES IKE policy:

• Your device must support IPsec and long keys (the “k9” subsystem).

• AES cannot encrypt IPsec and IKE traffic if an acceleration card is present.


VPN Acceleration ModuleHow To Configure VPN Acceleration Module (VAM)

SUMMARY STEPS

1. enable2. configure terminal3. crypto isakmp policy priority4. encryption {des | 3des | aes | aes 192 | aes 256}5. hash {sha | sha256 | sha384 |md5}6. authentication {rsa-sig | rsa-encr | pre-share}7. group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24}8. lifetime seconds9. exit10. exit11. show crypto isakmp policy12. Repeat these steps for each policy you want to create.

DETAILED STEPS



Example:Router> enable



Example:Router# configure terminal

Step 2

Defines an IKE policy and enters config-isakmp configuration mode.crypto isakmp policy priorityStep 3

Example:Router(config)# crypto isakmppolicy 10

• priority—Uniquely identifies the IKE policy and assigns a priority tothe policy. Valid values: 1 to 10,000; 1 is the highest priority.

Specifies the encryption algorithm.encryption {des | 3des | aes | aes 192 |aes 256}

Step 4

• By default, the des keyword is used.

Example:Router(config-isakmp)# encryptionaes 256

• des—56-bit DES-CBC (No longer recommended. AES is therecommended encryption algorithm)

• 3des—168-bit DES (No longer recommended. AES is therecommended encryption algorithm)

• aes—128-bit AES

• aes 192—192-bit AES

• aes 256—256-bit AES


VPN Acceleration ModuleCreating IKE Policies


Specifies the hash algorithm.hash {sha | sha256 | sha384 |md5}Step 5

Example:Router(config-isakmp)# hash sha

• By default, SHA-1 (sha) is used.



• Themd5 keyword specifiesMD5 (HMACvariant) as the hash algorithm.(No longer recommended. SHA-256 is the recommended replacement.)

Specifies the authentication method.authentication {rsa-sig | rsa-encr |pre-share}

Step 6

• By default, RSA signatures are used.

Example:Router(config-isakmp)#authentication pre-share

• rsa-sig—RSA signatures require that you configure your peerrouters to obtain certificates from a CA.

• rsa-encr—RSA encrypted nonces require that you ensure eachpeer has the other peer’s RSA public keys.

• pre-share—Preshared keys require that you separately configurethese preshared keys.

Specifies the Diffie-Hellman (DH) group identifier.group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 |24}

Step 7

• By default, DH group 1 is used.

Example:Router(config-isakmp)# group 14

• 1—768-bit DH (No longer recommended.)






• 19—Specifies the 256-bit elliptic curve DH (ECDH) group.

• 20—Specifies the 384-bit ECDH group.

• 24—Specifies the 2048-bit DH/DSA group.

The group chosen must be strong enough (have enough bits) to protect theIPsec keys during negotiation. A generally accepted guideline recommendsthe use of a 2048-bit group after 2013 (until 2030). Group 14 or higher (wherepossible) can be selected to meet this guideline. Even if a longer-lived securitymethod is needed, the use of Elliptic Curve Cryptography is recommended,but group 15 and group 16 can also be considered.


VPN Acceleration ModuleCreating IKE Policies


Specifies the lifetime of the IKE SA.lifetime secondsStep 8

Example:Router(config-isakmp)# lifetime180

• seconds—Time, in seconds, before each SA expires. Valid values: 60to 86,400; default value: 86,400.

The shorter the lifetime (up to a point), the more secure your IKEnegotiations will be. However, with longer lifetimes, future IPsecSAs can be set up more quickly.

Note

Exits config-isakmp configuration mode.exit

Example:Router(config-isakmp)# exit

Step 9


Example:Router(config)# exit

Step 10

(Optional) Displays all existing IKE policies.show crypto isakmp policy

Example:Router# show crypto isakmp policy

Step 11

—Repeat these steps for each policy youwant to create.

Step 12

Examples

The following sample output from the show crypto isakmp policy command displays a warning messageafter a user tries to configure an IKE encryption method that the hardware does not support:Router# show crypto isakmp policyProtection suite of priority 1

encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).WARNING:encryption hardware does not support the configuredencryption method for ISAKMP policy 1

hash algorithm: Secure Hash Standard 2 (256-bit)authentication method: Pre-Shared KeyDiffie-Hellman group: #14 (2048 bit)lifetime: 3600 seconds, no volume limit

Configuring IPsecAfter you have completed IKE configuration, configure IPsec at each participating IPsec peer. This sectioncontains basic steps to configure IPsec.


VPN Acceleration ModuleConfiguring IPsec

Creating Crypto Access Lists

SUMMARY STEPS

1. enable2. configure terminal3. Do one of the following:

• access-list access-list-number {deny | permit} protocol source source-wildcard destinationdestination-wildcard [log]

• ip access-list extended name

4. Repeat Step 3 for each crypto access list you want to create.

DETAILED STEPS







Step 2

Specifies conditions to determinewhich IP packets are protected.Do one of the following:Step 3

• access-list access-list-number {deny | permit}protocol source source-wildcard destinationdestination-wildcard [log]

• You specify conditions using an IP access list designatedby either a number or a name. The access-list commanddesignates a numbered extended access list; the ipaccess-list extended command designates a named accesslist.• ip access-list extended name

• Enable or disable crypto for traffic that matches theseconditions.Example:

Device(config)# access-list 100 permit ip10.0.68.0 0.0.0.255 10.1.1.0 0.0.0.255 Cisco recommends that you configure “mirror image”

crypto access lists for use by IPsec and that you avoidusing the any keyword.

Tip

Example:Device(config)# ip access-list extendedvpn-tunnel

—Repeat Step 3 for each crypto access list you want tocreate.

Step 4




SUMMARY STEPS

1. enable2. configure terminal3. crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]4. mode [tunnel | transport]5. end6. clear crypto sa [peer {ip-address | peer-name} | samapmap-name | sa entry destination-address protocol

spi]7. show crypto ipsec transform-set [tag transform-set-name]

DETAILED STEPS







Step 2

Defines a transform set and enters crypto transform configurationmode.crypto ipsec transform-set transform-set-nametransform1 [transform2 [transform3]]

Step 3

• There are complex rules defining the entries that you can use fortransform arguments. These rules are explained in the command

Example:Device(config)# crypto ipsectransform-set aesset esp-aes 256esp-sha-hmac

description for the crypto ipsec transform-set command, andthe table in “About Transform Sets” section provides a list ofallowed transform combinations.

(Optional) Changes the mode associated with the transform set.mode [tunnel | transport]Step 4

Example:Device(cfg-crypto-tran)# mode transport

• The mode setting is applicable only to traffic whose source anddestination addresses are the IPsec peer addresses; it is ignoredfor all other traffic. (All other traffic is in tunnel mode only.)

Exits crypto transform configurationmode and enters privileged EXECmode.

end

Example:Device(cfg-crypto-tran)# end

Step 5




(Optional) Clears existing IPsec security associations so that anychanges to a transform set takes effect on subsequently establishedsecurity associations.

clear crypto sa [peer {ip-address | peer-name}| sa map map-name | sa entrydestination-address protocol spi]

Step 6

Example:Device# clear crypto sa

Manually established SAs are reestablished immediately.

• Using the clear crypto sa command without parameters clearsout the full SA database, which clears out active security sessions.

• You may also specify the peer,map, or entry keywords to clearout only a subset of the SA database.

(Optional) Displays the configured transform sets.show crypto ipsec transform-set [tagtransform-set-name]

Step 7

Example:Device# show crypto ipsec transform-set

Creating Static Crypto MapsWhen IKE is used to establish SAs, the IPsec peers can negotiate the settings they use for the new securityassociations. This means that you can specify lists (such as lists of acceptable transforms) within the cryptomap entry.

Perform this task to create crypto map entries that use IKE to establish SAs. To create IPv6 crypto map entries,you must use the ipv6 keyword with the crypto map command. For IPv4 crypto maps, use the crypto mapcommand without the ipv6 keyword.


Note





SUMMARY STEPS

1. enable2. configure terminal3. crypto map [ipv6] map-name seq-num [ipsec-isakmp]4. match address access-list-id5. set peer {hostname | ip-address}6. crypto ipsec security-association dummy {pps rate | seconds seconds}7. set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]8. set security-association lifetime {seconds seconds | kilobytes kilobytes | kilobytes disable}9. set security-association level per-host10. set pfs [group1 | group14 | group15 | group16 | group19 | group2 | group20 | group24 | group5]11. end12. show crypto map [interface interface | tag map-name]

DETAILED STEPS







Step 2

Creates or modifies a crypto map entry, and enters crypto mapconfiguration mode.

crypto map [ipv6] map-name seq-num[ipsec-isakmp]

Step 3

Example:Device(config)# crypto map static-map 1ipsec-isakmp

• For IPv4 crypto maps, use the command without the ipv6keyword.

Names an extended access list.match address access-list-idStep 4

Example:Device(config-crypto-m)# match addressvpn-tunnel

• This access list determines the traffic that should be protectedby IPsec and the traffic that should not be protected by IPsecsecurity in the context of this crypto map entry.

Specifies a remote IPsec peer—the peer to which IPsec protectedtraffic can be forwarded.


Example:Device(config-crypto-m)# set-peer192.168.101.1

Step 5

• Repeat for multiple remote peers.




Enables generating dummy packets. These dummy packets aregenerated for all flows created in the crypto map.

crypto ipsec security-association dummy {ppsrate | seconds seconds}

Example:Device(config-crypto-m)# setsecurity-association dummy seconds 5

Step 6

Specifies the transform sets that are allowed for this crypto map entry.set transform-set transform-set-name1[transform-set-name2...transform-set-name6]

Step 7

• List multiple transform sets in the order of priority (highestpriority first).


(Optional) Specifies a SA lifetime for the crypto map entry.set security-association lifetime {secondsseconds | kilobytes kilobytes | kilobytes disable}

Step 8

• By default, the SAs of the crypto map are negotiated accordingto the global lifetimes, which can be disabled.

Example:Device (config-crypto-m)# setsecurity-association lifetime seconds2700

(Optional) Specifies that separate SAs should be established for eachsource and destination host pair.

set security-association level per-host

Example:Device(config-crypto-m)# setsecurity-association level per-host

Step 9

• By default, a single IPsec “tunnel” can carry traffic for multiplesource hosts and multiple destination hosts.

Use this command with care because multiple streamsbetween given subnets can rapidly consume resources.

Caution

(Optional) Specifies that IPsec either should ask for password forwardsecrecy (PFS) when requesting new SAs for this crypto map entry orshould demand PFS in requests received from the IPsec peer.

set pfs [group1 | group14 | group15 | group16| group19 | group2 | group20 | group24 |group5]

Step 10

Example:Device(config-crypto-m)# set pfs group14







• Group 19 specifies the 256-bit elliptic curve DH (ECDH)identifier.






• By default, PFS is not requested. If no group is specified withthis command, group 1 is used as the default.

Exits crypto map configuration mode and returns to privileged EXECmode.

end

Example:Device(config-crypto-m)# end

Step 11


Step 12


Verifying the Configuration

SUMMARY STEPS

1. show crypto ipsec transform-set2. show crypto map [interface interface | tag map-name]3. show crypto ipsec sa [map map-name | address | identity | detail | interface]

DETAILED STEPS

Step 1 show crypto ipsec transform-set

Example:

Device# show crypto ipsec transform-set

Transform set combined-des-md5: {esp-des esp-md5-hmac}will negotiate = {Tunnel,},

Transform set t1: {esp-des esp-md5-hmac}will negotiate = {Tunnel,},

Transform set t100: {ah-sha-hmac}will negotiate = {Transport,},

Transform set t2: {ah-sha-hmac}will negotiate = {Tunnel,},{esp-des}will negotiate = {Tunnel,},

Displays the transform set configuration.

Step 2 show crypto map [interface interface | tag map-name]



Example:

Device# show crypto map

Crypto Map “abc” 10 ipsec-isakmpPeer = 172.21.114.67Extended IP access list 141

access-list 141 permit ipsource: addr = 172.21.114.123/0.0.0.0dest: addr = 172.21.114.67/0.0.0.0

Current peer: 172.21.114.67Security-association lifetime: 4608000 kilobytes/120 secondsPFS (Y/N): NTransform sets={t1,}

Displays the crypto map configuration.

Step 3 show crypto ipsec sa [map map-name | address | identity | detail | interface]

Example:

Device# show crypto map ipsec sa interface

Crypto map tag: abc, local addr. 172.21.114.123local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)current_peer: 172.21.114.67PERMIT, flags={origin_is_acl,}#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10#send errors 10, #recv errors 0local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67path mtu 1500, media mtu 1500current outbound spi: 20890A6Finbound esp sas:spi: 0x257A1039(628756537)transform: esp-des esp-md5-hmac,in use settings ={Tunnel,}slot: 0, conn id: 26, crypto map: router-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Y

inbound ah sas:outbound esp sas:spi: 0x20890A6F(545852015)transform: esp-des esp-md5-hmac,in use settings ={Tunnel,}slot: 0, conn id: 27, crypto map: router-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Y

outbound ah sas:interface: Tunnel0

Crypto map tag: abc, local addr. 172.21.114.123local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)current_peer: 172.21.114.67PERMIT, flags={origin_is_acl,}#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10#send errors 10, #recv errors 0local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67path mtu 1500, media mtu 1500current outbound spi: 20890A6Finbound esp sas:spi: 0x257A1039(628756537)transform: esp-des esp-md5-hmac,



in use settings ={Tunnel,}slot: 0, conn id: 26, crypto map: router-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Y

inbound ah sas:outbound esp sas:spi: 0x20890A6F(545852015)transform: esp-des esp-md5-hmac,in use settings ={Tunnel,}slot: 0, conn id: 27, crypto map: router-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Y

outbound ah sas:

Displays information about IPsec security associations.

Troubleshooting TipsTo verify that Cisco IOS software has recognized VAM, enter the show diag command and check the output.For example, when the router has the VAM in slot 1, the following output appears:

Router# show diag 1Slot 1:

VAM Encryption/Compression engine. Port adapterPort adapter is analyzedPort adapter insertion time 00:04:45 agoEEPROM contents at hardware discovery:Hardware Revision :1.0PCB Serial Number :15485660Part Number :73-5953-04Board Revision :RMA Test History :00RMA Number :0-0-0-0RMA History :00Deviation Number :0-0Product Number :CLEOTop Assy. Part Number :800-10496-04CLEI Code :EEPROM format version 4EEPROM contents (hex):0x00:04 FF 40 02 8A 41 01 00 C1 8B 31 35 34 38 35 360x10:36 30 00 00 00 82 49 17 41 04 42 FF FF 03 00 810x20:00 00 00 00 04 00 80 00 00 00 00 CB 94 43 4C 450x30:4F 20 20 20 20 20 20 20 20 20 20 20 20 20 20 200x40:20 C0 46 03 20 00 29 00 04 C6 8A FF FF FF FF FF0x50:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF0x60:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF0x70:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

To see if the VAM is currently processing crypto packets, enter the show pas vam interface command. Thefollowing is sample output:

Router# show pas vam interface

Interface VAM 1/1 :ds:0x632770C8 idb:0x62813728Statistics of packets and bytes that through this interface:18 packets in 18 packets out

2268 bytes in 2268 bytes out0 paks/sec in 0 paks/sec out


VPN Acceleration ModuleTroubleshooting Tips

0 Kbits/sec in 0 Kbits/sec out83 commands out 83 commands acknowledgedppq_full_err :0 ppq_rx_err :0cmdq_full_err :0 cmdq_rx_err :0no_buffer :0 fallback :0dst_overflow :0 nr_overflow :0sess_expired :0 pkt_fragmented :0out_of_mem :0 access_denied :0invalid_fc :0 invalid_param :0invalid_handle :0 output_overrun :0input_underrun :0 input_overrun :0key_invalid :0 packet_invalid :0decrypt_failed :0 verify_failed :0attr_invalid :0 attr_val_invalid :0attr_missing :0 obj_not_wrap :0bad_imp_hash :0 cant_fragment :0out_of_handles :0 compr_cancelled :0rng_st_fail :0 other_errors :0633 seconds since last clear of counters

When the VAM processes packets, the “packet in” and “packet out” counters change. Counter “packets out”represents the number of packets directed to the VAM. Counter “packets in” represents the number of packetsreceived from the VAM.

In versions prior to Cisco IOS Release 12.2(5)T and Cisco IOS Release 12.1(10)E, upon reboot trapconfigurations are lost and need to be re-entered.

Note

Monitoring and Maintaining the VPN Acceleration ModuleUse the commands below to monitor and maintain the VPN Acceleration Module:

PurposeCommand

Displays the ISA interface configuration.Router# show pas isa interface

Displays the ISA controller configuration.Router# show pas isa controller

Verifies the VAM is currently processing cryptopackets.Router# show pas vam interface

Displays the VAM controller configuration.Router# show pas vam controller

Displays integrated service adapter as part of theinterfaces.Router# Show version


VPN Acceleration ModuleMonitoring and Maintaining the VPN Acceleration Module

Configuration Examples for VPN Acceleration

Example: Configuring IKE PoliciesIn the following example, two IKE policies are created, with policy 15 as the highest priority, policy 20 asthe next priority, and the existing default priority as the lowest priority. It also creates a preshared key to beused with policy 20 with the remote peer whose IP address is 192.168.224.33.

crypto isakmp policy 15encryption 3deshash md5authentication rsa-siggroup 2lifetime 5000crypto isakmp policy 20authentication pre-sharelifetime 10000crypto isakmp key 1234567890 address 192.168.224.33

Example: Configuring IPsec ConfigurationThe following example shows aminimal IPsec configuration where the security associations will be establishedvia IKE:

An IPsec access list defines which traffic to protect:

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255A transform set defines how the traffic will be protected. In this example, transform set "myset1" uses DESencryption and SHA for data packet authentication:

crypto ipsec transform-set myset1 esp-des esp-shaAnother transform set example is "myset2," which uses Triple DES encryption and MD5 (HMAC variant)for data packet authentication:

crypto ipsec transform-set myset2 esp-3des esp-md5-hmacA crypto map joins together the IPsec access list and transform set and specifies where the protected trafficis sent (the remote IPsec peer):

crypto map toRemoteSite 10 ipsec-isakmpmatch address 101set transform-set myset2set peer 10.2.2.5The crypto map is applied to an interface:

interface Serial0ip address 10.0.0.2crypto map toRemoteSite

In this example, IKE must be enabled.Note


VPN Acceleration ModuleConfiguration Examples for VPN Acceleration

Additional References for VPN Acceleration ModuleRelated Documents


Cisco IOSMaster Commands List,All Releases

Cisco IOS commands

• Cisco IOS SecurityCommand ReferenceCommands A to C

• Cisco IOS SecurityCommand ReferenceCommands D to L

• Cisco IOS SecurityCommand ReferenceCommands M to R

• Cisco IOS SecurityCommand ReferenceCommands S to Z

Security commands

Configuring IPsecIPsec configuration

Configuring IKEIKE configuration

VAM Installation andConfiguration Guide

VAM installation and configuration tasks

Standards and RFCs

TitleStandard/RFC

IP Payload Compression Protocol (IPComp)RFC 2393

IP Payload Compression Using LZSRFC 2395

IPsec—IKERFCs 2401 to 2411

The ESP CBC-Mode Cipher AlgorithmsRFC 2451

IPSec/IKE: RFCs 2401-2411, 2451


VPN Acceleration ModuleAdditional References for VPN Acceleration Module















MIBs

MIBs LinkMIB

To locate and downloadMIBs for selected platforms,Cisco software releases, and feature sets, use CiscoMIB Locator found at the following URL:


• CISCO-IPSEC-FLOW-MONITOR-MIB

• CISCO-IPSEC-MIB

• CISCO-IPSEC-POLICY-MAP-MIB


LinkDescription


Feature Information for VPN Acceleration ModuleThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.



VPN Acceleration ModuleFeature Information for VPN Acceleration Module


http://www.cisco.com/support


Table 7: Feature Information for VPN Acceleration Module

Feature InformationReleasesFeature Name

VPNAccelerationModule (VAM)supports Data Encryption Standard(DES) or Triple DES (3DES) IPsecencryption at a rate greater thanfull-duplex DS-3 line rate (up to145 Mbps) for site-to-site VPNssuch as intranets and extranets.VAM also supports up to 5000encrypted tunnels for mixed VPNenvironments that have bothsite-to-site and remote access VPNrequirements. VAM integrateshardware-assisted Rivest, Shamir,and Adelman (RSA) and IPPayload Compression Protocol(IPPCP) layer 3 compression toaccelerate RSA processing, therebyenhancing tunnel setup andimproving overall VPNinitialization. In environmentswhere bandwidth is costly, VAMprovides hardware-based IPPCPLempel-Ziv-Stac (LZS) processingto compress network traffic beforeit is encrypted and sent overpay-per-byte WAN connections.

In 12.1(9)E, this feature wasintroduced on the Cisco 7200 seriesrouters onNPE-225, NPE-400, andNSE-1.

In 12.1(14)E, this feature wasintegrated into Cisco IOS Release12.1(14)E and support for dualVAMs2 on the Cisco 7200 serieswith NPE-G1 was added.

In 12.2(9)YE, support for thisfeature was added to the Cisco7401ASR router3.

The following commands wereintroduced or modified:cryptoengine sw ipsec, show pas vamcontroller, show pas vaminterface.

12.1(9)E

12.1(14)E

12.2(9)YE

12.2(13)T

12.2(15)T

12.3(1)Mainline

12.2(14)SU

VPNAccelerationModule (VAM)

2 Support for dual VAMs is available on a Cisco 7200 series router with NPE-G1 on Cisco IOS Release 12.2(15)T, 12.1(14)E, and 12.3 Mainline only.


VPN Acceleration ModuleFeature Information for VPN Acceleration Module

3 The Cisco 7401ASR router is no longer sold.

Glossaryanti-replay—Security service where the receiver can reject old or duplicate packets to protect itself againstreplay attacks. IPsec provides this optional service by use of a sequence number combined with the use ofdata authentication. Cisco IOS XE IPsec provides this service whenever it provides the data authenticationservice, except for manually established SAs (that is, SAs established by configuration and not by IKE).

data authentication—Verification of the integrity and origin of the data. Data authentication can refer eitherto integrity alone or to both of these concepts (although data origin authentication is dependent upon dataintegrity).

data confidentiality—Security service in which the protected data cannot be observed.

data flow—Grouping of traffic, identified by a combination of source address or mask, destination addressor mask, IP next protocol field, and source and destination ports, where the protocol and port fields can havethe values of any. IPsec protection is applied to data flows.

IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services(such as IPSec) that require keys. Before any IPSec traffic can be passed, each router/firewall/host must verifythe identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CAservice.

IPsec—IP Security. A framework of open standards that provides data confidentiality, data integrity, and dataauthentication between participating peers. IPSec provides these security services at the IP layer. IPSec usesIKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryptionand authentication keys to be used by IPSec. IPSec can protect one or more data flows between a pair of hosts,between a pair of security gateways, or between a security gateway and a host.

peer—In the context of this module, a “peer” is a router or other device that participates in IPsec.PFS—perfect forward secrecy. Cryptographic characteristic associated with a derived shared secret value.With PFS, if one key is compromised, previous and subsequent keys are not compromised, because subsequentkeys are not derived from previous keys.

SA—security association. Description of how two or more entities use security services in the context of aparticular security protocol (AH or ESP) to communicate securely on behalf of a particular data flow. Thetransform and the shared secret keys are used for protecting the traffic.

SPI—security parameter index. A number which, together with a destination IP address and security protocol,uniquely identifies a particular security association. Without IKE, the SPI is manually specified for eachsecurity association.

transform—List of operations performed on a dataflow to provide data authentication, data confidentiality,and data compression. For example, one transform is the ESP protocol with the HMAC-MD5 authenticationalgorithm; another transform is the AH protocol with the 56-bit DES encryption algorithm and the ESP protocolwith the HMAC-SHA authentication algorithm.

tunnel—In the context of this module, “tunnel” is a secure communication path between two peers, such astwo routers. It does not refer to using IPsec in tunnel mode.


VPN Acceleration ModuleGlossary

C H A P T E R 6IPv6 over IPv4 GRE Tunnel Protection

The IPv6 over IPv4 GRE Tunnel Protection feature allows both IPv6 unicast and multicast traffic to passthrough a protected generic routing encapsulation (GRE) tunnel.


• Prerequisites for IPv6 over IPv4 GRE Tunnel Protection, page 111

• Restrictions for IPv6 over IPv4 GRE Tunnel Protection, page 112

• Information About IPv6 over IPv4 GRE Tunnel Protection, page 112

• How to Configure IPv6 over IPv4 GRE Tunnel Protection, page 114

• Configuration Examples for IPv6 over IPv4 GRE Tunnel Protection, page 121


• Feature Information for IPv6 over IPv4 GRE Tunnel Protection, page 123



Prerequisites for IPv6 over IPv4 GRE Tunnel Protection• To enable this feature, you must configure IPsec tunnel protection on an IPv4 GRE tunnel.

• To enable IPv6 multicast, you must configure IPv6 multicast routing.




Restrictions for IPv6 over IPv4 GRE Tunnel ProtectionThe IPv6 over IPv4 GRE Tunnel Protection feature supports IPv6 over IPv4 point-to-point GRE tunnelprotection and not IPv6 over IPv4 mGRE tunnel protection.

Information About IPv6 over IPv4 GRE Tunnel Protection

GRE Tunnels with IPsecGeneric routing encapsulation (GRE) tunnels sometimes are combined with IPSec, because IPSec does notsupport IPv6 multicast packets. This function prevents dynamic routing protocols from running successfullyover an IPSec VPN network. Because GRE tunnels do support IPv6 multicast , a dynamic routing protocolcan be run over a GRE tunnel. Once a dynamic routing protocol is configured over a GRE tunnel, you canencrypt the GRE IPv6 multicast packets using IPSec.

IPSec can encrypt GRE packets using a crypto map or tunnel protection. Both methods specify that IPSecencryption is performed after GRE encapsulation is configured. When a crypto map is used, encryption isapplied to the outbound physical interfaces for the GRE tunnel packets. When tunnel protection is used,encryption is configured on the GRE tunnel interface.

The following figure shows encrypted packets that enter a router through a GRE tunnel interface using acrypto map on the physical interface. Once the packets are decrypted and decapsulated, they continue to theirIP destination as clear text.

Figure 11: Using a Crypto Map to Configure IPv6 over IPv4 GRE Tunnel Encryption


IPv6 over IPv4 GRE Tunnel ProtectionRestrictions for IPv6 over IPv4 GRE Tunnel Protection

The following figure shows encryption using tunnel protection command on the GRE tunnel interface. Theencrypted packets enter the router through the tunnel interface and are decrypted and decapsulated beforethey continue to their destination as clear text.

Figure 12: Using Tunnel Protection to Configure IPv6 over IPv4 GRE Tunnel Encryption

There are two key differences in using the crypto map and tunnel protection methods:

• The IPSec crypto map is tied to the physical interface and is checked as packets are forwarded outthrough the physical interface. At this point, the GRE tunnel has already encapsulated the packet.

• Tunnel protection ties the encryption functionality to the GRE tunnel and is checked after the packet isGRE encapsulated but before the packet is handed to the physical interface.


IPv6 over IPv4 GRE Tunnel ProtectionGRE Tunnels with IPsec

How to Configure IPv6 over IPv4 GRE Tunnel Protection

Configuring IPv6 over IPv4 GRE Encryption Using a Crypto Map

SUMMARY STEPS

1. enable2. configure terminal3. ipv6 multicast-routing4. ipv6 unicast-routing5. interface type number6. ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}7. tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ip | gre ipv6 | ipip

[decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 |mpls | nos | rbscp}8. tunnel source {ip-address | ipv6-address | interface-typeinterface-number}9. tunnel destination {hostname | ip-address | ipv6-address}10. exit11. crypto isakmp policy priority12. authentication {rsa-sig | rsa-encr | pre-share}13. hash {sha |md5}14. group {1 | 2 | 5}15. encryption {des | 3des | aes 192 | aes 256}16. exit17. crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 {ipv6-address/ipv6-prefix}

| hostname hostname} [no-xauth]18. crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]19. access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol

source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [time-rangetime-range-name] [fragments] [log [word] | log-input [word]]

20. crypto map [ipv6] map-name seq-num [ipsec-isakmp [dynamic dynamic-map-name | discover | profileprofile-name]]

21. set peer {hostname [dynamic] [default] | ip-address [default]}22. set transform-set transform-set-name [transform-set-name2...transform-set-name6]23. match address [access-list-id | name]24. exit25. interface type number26. crypto map map-name [redundancy standby-group-name [stateful]]27. end


IPv6 over IPv4 GRE Tunnel ProtectionHow to Configure IPv6 over IPv4 GRE Tunnel Protection

DETAILED STEPS







Step 2

Enables multicast routing using Protocol IndependentMulticast (PIM) and Multicast Listener Discovery

ipv6 multicast-routing

Example:Router(config)# ipv6 multicast-routing

Step 3

(MLD) on all IPv6-enabled interfaces of the routerand enables multicast forwarding.

• Enable this command only if you are using IPv6multicast. If you are using IPv6 unicast, you neednot enable this command.

Enables the forwarding of IPv6 unicast datagrams.ipv6 unicast-routing

Example:Router(config)# ipv6 unicast-routing

Step 4

Specifies a tunnel interface and number, and entersinterface configuration mode.


Example:Router(config)# interface tunnel 10

Step 5

Configures an IPv6 address based on an IPv6 generalprefix and enables IPv6 processing on an interface.

ipv6 address {ipv6-address/prefix-length | prefix-namesub-bits/prefix-length}

Example:Router(config-if)# ipv6 address 0:0:0:7272::72/64

Step 6

Sets the encapsulation mode for the tunnel interface.tunnel mode {aurp | cayman | dvmrp | eon | gre | gremultipoint | gre ip | gre ipv6 | ipip [decapsulate-any] | ipsecipv4 | iptalk | ipv6 | ipsec ipv6 |mpls | nos | rbscp}

Step 7

Example:Router(config-if)# tunnel mode gre ip

Sets the source address for a tunnel interface.tunnel source {ip-address | ipv6-address |interface-typeinterface-number}

Step 8

Example:Router(config-if)# tunnel source ethernet0


IPv6 over IPv4 GRE Tunnel ProtectionConfiguring IPv6 over IPv4 GRE Encryption Using a Crypto Map


Specifies the destination for a tunnel interface.tunnel destination {hostname | ip-address | ipv6-address}

Example:Router(config-if)# tunnel destination 172.16.0.12

Step 9

Exits interface configuration mode and returns toglobal configuration mode.

exit

Example:Router(config-if)# exit

Step 10

Defines an Internet Key Exchange (IKE) policy, andenters ISAKMP policy configuration mode.

crypto isakmp policy priority

Example:Router(config)# crypto isakmp policy 15

Step 11

• Policy number 1 indicates the policy with thehighest priority. The lower the priority argumentvalue, the higher the priority.

Specifies the authentication method within an IKEpolicy.

authentication {rsa-sig | rsa-encr | pre-share}

Example:Router(config-isakmp-policy)# authenticationpre-share

Step 12

• The rsa-sig and rsa-encr keywords are notsupported in IPv6.

Specifies the hash algorithm within an IKE policy.hash {sha |md5}

Example:Router(config-isakmp-policy)# hash md5

Step 13

Specifies the Diffie-Hellman group identifier withinan IKE policy.

group {1 | 2 | 5}

Example:Router(config-isakmp-policy)# group 2

Step 14

Specifies the encryption algorithm within an IKEpolicy.

encryption {des | 3des | aes 192 | aes 256}

Example:Router(config-isakmp-policy)# encryption 3des

Step 15

Exits ISAKMP policy configuration mode and entersglobal configuration mode.

exit

Example:Router(config-isakmp-policy)# exit

Step 16

Configures a preshared authentication key.crypto isakmp key enc-type-digit keystring {addresspeer-address [mask] | ipv6 {ipv6-address/ipv6-prefix} |hostname hostname} [no-xauth]

Step 17

Example:Router(config)# crypto isakmp key cisco-10 address172.16.0.12 255.240.0.0




Defines a transform set.crypto ipsec transform-set transform-set-name transform1[transform2] [transform3] [transform4]

Step 18

Example:Router(config)# crypto ipsec transform-set myset0ah-sha-hmac esp-3des

Defines an extended IP access list.access-list access-list-number [dynamic dynamic-name[timeout minutes]] {deny | permit} protocol source

Step 19

source-wildcard destination destination-wildcard [precedenceprecedence] [tos tos] [time-range time-range-name][fragments] [log [word] | log-input [word]]

Example:Router(config)# access-list 110 permit gre host192.168.0.16 host 172.16.0.12

Creates a new crypto map entry or profile and enterscrypto map configuration mode.

crypto map [ipv6] map-name seq-num [ipsec-isakmp[dynamic dynamic-map-name | discover | profileprofile-name]]

Step 20

Example:Router(config)# crypto map mymap 10 ipsec-isakmp

Specifies an IP Security (IPsec) peer in a crypto mapentry.

set peer {hostname [dynamic] [default] | ip-address[default]}

Example:Router(config-crypto-map)# set peer 10.0.0.1

Step 21

Specifies the transform set that can be used with thecrypto map entry.


Example:Router(config-crypto-map)# set transform-set myset0

Step 22

Specifies an extended access list for a crypto mapentry.

match address [access-list-id | name]

Example:Router(config-crypto-map)# match address 102

Step 23

Exits crypto map configuration mode and returns toglobal configuration mode.

exit

Example:Router(config-crypto-map)# exit

Step 24

Specifies an interface and number and enters interfaceconfiguration mode.


Example:Router(config)# interface ethernet 1

Step 25




Applies a previously defined crypto map set to anoutbound interface.

crypto map map-name [redundancy standby-group-name[stateful]]

Example:Router(config-if)# crypto map mymap

Step 26


end

Example:Router(config-if)# end

Step 27

Configuring IPv6 over IPv4 GRE Encryption Using Tunnel Protection

SUMMARY STEPS

1. enable2. configure terminal3. ipv6 multicast-routing4. ipv6 unicast-routing5. crypto isakmp policy priority6. authentication {rsa-sig | rsa-encr | pre-share}7. hash {sha |md5}8. group {1 | 2 | 5}9. encryption {des | 3des | aes | aes 192 | aes 256}10. exit11. crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 {ipv6-address/ipv6-prefix}

| hostname hostname} [no-xauth]12. crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]13. crypto ipsec profile profile-name14. set transform-set transform-set-name [transform-set-name2...transform-set-name6]15. exit16. interface type number17. ipv6 address {ipv6-address / prefix-length | prefix-name sub-bits/prefix-length}18. tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ip | gre ipv6 |

ipip[decapsulate-any] | ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 |mpls | nos | rbscp}19. tunnel source {ip-address | ipv6-address | interface-type interface-number}20. tunnel destination {hostname | ip-address | ipv6-address}21. tunnel protection ipsec profile name [shared]22. end


IPv6 over IPv4 GRE Tunnel ProtectionConfiguring IPv6 over IPv4 GRE Encryption Using Tunnel Protection

DETAILED STEPS







Step 2

Enables multicast routing using Protocol IndependentMulticast (PIM) andMulticast Listener Discovery (MLD)

ipv6 multicast-routing

Example:Router(config)# ipv6 multicast-routing

Step 3

on all IPv6-enabled interfaces of the router and enablesmulticast forwarding.

• Enable this command only if you are using IPv6multicast. If you are using IPv6 unicast, you do notneed to enable this command.

Enables the forwarding of IPv6 unicast datagrams.ipv6 unicast-routing

Example:Router(config)# ipv6 unicast-routing

Step 4

Defines an IKE policy, and enters ISAKMP policyconfiguration mode.

crypto isakmp policy priority

Example:Router(config)# crypto isakmp policy 15

Step 5

Policy number 1 indicates the policy with the highestpriority. The lower the priority argument value, the higherthe priority.

Specifies the authentication method within an InternetKey Exchange (IKE) policy.

authentication {rsa-sig | rsa-encr | pre-share}

Example:Router(config-isakmp-policy)# authenticationpre-share

Step 6

• The rsa-sig and rsa-encr keywords are notsupported in IPv6.

Specifies the hash algorithm within an IKE policy.hash {sha |md5}

Example:Router(config-isakmp-policy)# hash md5

Step 7

Specifies the Diffie-Hellman group identifier within anIKE policy.

group {1 | 2 | 5}

Example:Router(config-isakmp-policy)# group 2

Step 8




Specifies the encryption algorithm within an IKE policy.encryption {des | 3des | aes | aes 192 | aes 256}

Example:Router(config-isakmp-policy)# encryption 3des

Step 9

Exits ISAKMP policy configuration mode and returns toglobal configuration mode.

exit

Example:Router(config-isakmp-policy)# exit

Step 10

Configures a preshared authentication key.crypto isakmp key enc-type-digit keystring {addresspeer-address [mask] | ipv6 {ipv6-address/ipv6-prefix} |hostname hostname} [no-xauth]

Step 11

Example:Router(config)# crypto isakmp key cisco-10address 172.16.0.12 255.240.0.0

Defines a transform set, and places the router in cryptotransform configuration mode.

crypto ipsec transform-set transform-set-nametransform1 [transform2] [transform3] [transform4]

Example:Router(config)# crypto ipsec transform-set myset0ah-sha-hmac esp-3des

Step 12

Defines the IPsec parameters that are to be used for IPsecencryption between two IPsec routers and enters IPsecprofile configuration mode.

crypto ipsec profile profile-name

Example:Router(config)# crypto ipsec profile ipsecprof

Step 13

Specifies the transform set that can be used with the cryptomap entry.


Example:Router(ipsec-profile)# set transform-set myset0

Step 14

Exits IPsec profile configuration mode and returns toglobal configuration mode.

exit

Example:Router(ipsec-profile)# exit

Step 15

Specifies a tunnel interface and number and entersinterface configuration mode.


Example:Router(config)# interface tunnel 1

Step 16




Specifies the IPv6 network assigned to the interface andenables IPv6 processing on the interface.

ipv6 address {ipv6-address / prefix-length | prefix-namesub-bits/prefix-length}

Example:Router(config-if)# ipv6 address3ffe:b00:c18:1::3/127

Step 17

Specifies a GRE IPv6 tunnel.tunnel mode {aurp | cayman | dvmrp | eon | gre | gremultipoint | gre ip | gre ipv6 | ipip[decapsulate-any] |ipsec ipv4 | iptalk | ipv6 | ipsec ipv6 |mpls | nos | rbscp}

Step 18

Example:Router(config-if)# tunnel mode gre ip

Specifies the source address or the source interface typeand number for the tunnel interface.

tunnel source {ip-address | ipv6-address | interface-typeinterface-number}

Example:Router(config-if)# tunnel source 10.0.0.1

Step 19

Specifies the destination address or hostname for thetunnel interface.

tunnel destination {hostname | ip-address | ipv6-address}

Example:Router(config-if)# tunnel destination 172.16.0.12

Step 20

Associates a tunnel interface with an IPsec profile.tunnel protection ipsec profile name [shared]

Example:Router(config-if)# tunnel protection ipsecprofile ipsecprof

Step 21


end

Example:Router(config-if)# end

Step 22

Configuration Examples for IPv6 over IPv4 GRE Tunnel Protection

Example: Configuring IPv6 over IPv4 GRE Encryption Using a Crypto MapRouter> enableRouter# configure terminalRouter(config)# ipv6 multicast-routingRouter(config)# ipv6 unicast-routingRouter(config)# interface tunnel 10Router(config-if)# ipv6 address my-prefix 0:0:0:7272::72/64


IPv6 over IPv4 GRE Tunnel ProtectionConfiguration Examples for IPv6 over IPv4 GRE Tunnel Protection

Router(config-if)# tunnel mode gre ipRouter(config-if)# tunnel source ethernet0Router(config-if)# tunnel destination 172.16.0.12Router(config-if)# exitRouter(config)# crypto isakmp policy 15Router(config-isakmp-policy)# authentication pre-shareRouter(config-isakmp-policy)# hash md5Router(config-isakmp-policy)# group 2Router(config-isakmp-policy)# encryption 3desRouter(config-isakmp-policy)# exitRouter(config)# crypto isakmp key cisco-10 address 172.16.0.12 255.240.0.0Router(config)# crypto ipsec transform-set myset0 ah-sha-hmac esp-3desRouter(config)# access-list 110 permit gre host 192.168.0.16 host 172.16.0.12Router(config)# crypto map mymap 10 ipsec-isakmpRouter(config-crypto-map)# set peer 10.0.0.1Router(config-crypto-map)# set transform-set myset0Router(config-crypto-map)# match address 102Router(config-crypto-map)# exitRouter(config)# interface ethernet1Router(config-if)# crypto map mymapRouter(config-if)# end

Example: Configuring IPv6 over IPv4 GRE Encryption Using Tunnel ProtectionThe following example configures IPsec tunnel protection on an IPv4 GRE tunnel. IPv6 multicast routing isenabled using the ipv6 multicast-routing command.Router> enableRouter# configure terminalRouter(config)# ipv6 multicast-routingRouter(config)# ipv6 unicast-routingRouter(config)# crypto isakmp policy 15Router(config-isakmp-policy)# authentication pre-shareRouter(config-isakmp-policy)# hash md5Router(config-isakmp-policy)# group 2Router(config-isakmp-policy)# encryption 3desRouter(config-isakmp-policy)# exitRouter(config)# crypto isakmp key cisco-10 address 172.16.0.12 255.240.0.0Router(config)# crypto ipsec transform-set myset0 ah-sha-hmac esp-3desRouter(config)# crypto ipsec profile ipsecprofRouter(ipsec-profile)# set transform-set myset0Router(ipsec-profile)# exitRouter(config)# interface tunnel 1Router(config-if)# ipv6 address 3ffe:b00:c18:1::3/127Router(config-if)# tunnel mode gre ipRouter(config-if)# tunnel source 10.0.0.1Router(config-if)# tunnel destination 172.16.0.12Router(config-if)# tunnel protection ipsec profile ipsecprofRouter(config-if)# end

Additional ReferencesRelated Documents


IPv6 Implementation GuideIPv6 Multicast Routing

Cisco IOS Master Commands List, All ReleasesCisco IOS commands


IPv6 over IPv4 GRE Tunnel ProtectionExample: Configuring IPv6 over IPv4 GRE Encryption Using Tunnel Protection

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/xe-3s/ipv6-xe-36s-book.html







Security commands: complete command syntax,command mode, command history, defaults, usageguidelines, and examples


LinkDescription


Feature Information for IPv6 over IPv4 GRE Tunnel ProtectionThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.



IPv6 over IPv4 GRE Tunnel ProtectionFeature Information for IPv6 over IPv4 GRE Tunnel Protection











Table 8: Feature Information for IPv6 over IPv4 GRE Tunnel Protection

Feature InformationReleasesFeature Name

The IPv6 over IPv4 GRE tunnelprotection feature allows both IPv6unicast and multicast traffic to passthrough a protected GRE tunnel.

The following sections provideinformation about this feature:

• Information About IPv6 overIPv4 GRE Tunnel Protection

• How to Configure IPv6 overIPv4 GRE Tunnel Protection

Cisco IOS XE Release 3.5SIPv6 over IPv4 GRE TunnelProtection


IPv6 over IPv4 GRE Tunnel ProtectionFeature Information for IPv6 over IPv4 GRE Tunnel Protection

I N D E X

A

access lists 8See also IKE\ 8

access-list (encryption) command 23, 97AH (authentication header) 3

C

crypto dynamic-map command 32crypto ipsec transform-set command 25, 98crypto map command 29, 99

D

dynamic crypto maps 19See IPSec, crypto maps 19

E

encapsulations, IPSec-supported 7ESP (encapsulating security payload) 3

I

IKE (Internet Key Exchange) security protocol 3, 20protocol 3tunnel endpoint discovery (TED) 20

description 20restrictions 20

IPSec (IPSec network security protocol) 2, 3, 7, 8, 9, 12, 13, 17, 18, 19, 23, 25, 29, 32, 36, 98, 99

access lists 8crypto access lists 9, 12, 13, 23

any keyword, using 13manually established SAs 23mirror images 12

IPSec (IPSec network security protocol) (continued)crypto access lists (continued)

purpose 9crypto maps 17, 18, 19

dynamic 19creating 19definition 19

purpose 17quantity 18

encapsulations supported 7how it works 8monitoring 32, 36NAT, configuring 2network services 8protocol 3restrictions 2SAs 8, 19, 23, 25, 29, 98, 99

clearing 25, 98IKE negotiations 8, 19, 29, 99manual negotiations 8, 23

supported standards 3traffic protected, defining 8transform sets 8

IPSec, access lists\ 8

M

match address command 29, 32, 99MD5 (Message Digest 5) algorithm 3

N

NAT, configuring IPSec for 2

R

RFC 1829, The ESP DES-CBC Transform 3

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S IN-1

S

SafeNet IPSec VPN Client Support 72, 73, 77, 78additional references 78configuration examples 77how to configure 73prerequisites 72restrictions 72

SAs (security associations) 19, 23, 29, 99IKE established crypto map entries, creating 19, 29, 99manually established 23

crypto access lists, defining 23crypto map entries, creating 23

set peer command 29, 32, 99

set pfs command 29, 99set security-association level per-host command 29, 99set security-association lifetime command 29, 32, 99set transform-set command 29, 32, 99SHA (Secure Hash Algorithm) 3

T

tunnel endpoint discovery (TED) 20description 20restrictions 20

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15SIN-2

Index